Loading ...

Play interactive tourEdit tour

Analysis Report Swift_Copy.exe

Overview

General Information

Sample Name:Swift_Copy.exe
Analysis ID:383913
MD5:c53851f4f5da5ebaf1f67d3ab518478f
SHA1:ae74eadcb41c8662fc0ec8319bd8fdaabcf68631
SHA256:96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c
Tags:AgentTeslaexeSWIFT
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Swift_Copy.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\Swift_Copy.exe' MD5: C53851F4F5DA5EBAF1F67D3AB518478F)
    • schtasks.exe (PID: 5820 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Swift_Copy.exe (PID: 7084 cmdline: C:\Users\user\Desktop\Swift_Copy.exe MD5: C53851F4F5DA5EBAF1F67D3AB518478F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Swift_Copy.exe.3998308.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Swift_Copy.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Swift_Copy.exe.3998308.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Swift_Copy.exe.3ac7e48.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Scheduled temp file as task from temp locationShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift_Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift_Copy.exe, ParentProcessId: 7136, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp', ProcessId: 5820

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.Swift_Copy.exe.3998308.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: Swift_Copy.exeJoe Sandbox ML: detected
                    Source: 7.2.Swift_Copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A4C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265B9E8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265B9DB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A4B8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0265A57C
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 77.88.21.158:587
                    Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: http://Mjyucn.com
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                    Source: Swift_Copy.exe, 00000000.00000003.642112108.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                    Source: Swift_Copy.exe, 00000000.00000002.678282879.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                    Source: Swift_Copy.exe, 00000000.00000003.643926524.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comM
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comX.
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcin
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comilyQWp
                    Source: Swift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comitsUPt
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comon
                    Source: Swift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compe
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comaC
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.com
                    Source: Swift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.comg
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Swift_Copy.exe, 00000000.00000003.643261904.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: Swift_Copy.exe, 00000000.00000003.642823074.000000000590D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/1
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Swift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
                    Source: Swift_Copy.exe, 00000000.00000003.643329522.0000000000E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTC
                    Source: Swift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnby
                    Source: Swift_Copy.exe, 00000000.00000003.643240184.00000000058D9000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
                    Source: Swift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: Swift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-d5
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Swift_Copy.exe, 00000000.00000003.650087675.0000000005915000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d
                    Source: Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krim
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.908373362.0000000003439000.00000004.00000001.sdmpString found in binary or memory: https://4NZrCGMkBwFxC.org
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: Swift_Copy.exeString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                    Source: Swift_Copy.exeString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                    Source: Swift_Copy.exeString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                    Source: Swift_Copy.exe, 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_00402D410_2_00402D41
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02651B300_2_02651B30
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026560A00_2_026560A0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026559380_2_02655938
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026509AA0_2_026509AA
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026567080_2_02656708
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265ACC80_2_0265ACC8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026575080_2_02657508
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02658DB20_2_02658DB2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02656AA10_2_02656AA1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02651B1F0_2_02651B1F
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026520680_2_02652068
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026520570_2_02652057
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265609E0_2_0265609E
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026571480_2_02657148
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265592B0_2_0265592B
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026571390_2_02657139
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026509CC0_2_026509CC
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026566F80_2_026566F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_0265773D0_2_0265773D
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577D00_2_026577D0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577BF0_2_026577BF
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026577890_2_02657789
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026574F80_2_026574F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02650D7F0_2_02650D7F
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026535300_2_02653530
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_026535380_2_02653538
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_02650D900_2_02650D90
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027F94A80_2_027F94A8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FDCF40_2_027FDCF4
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FE2180_2_027FE218
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FC3A00_2_027FC3A0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_027FA7480_2_027FA748
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C220507_2_00C22050
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01482D507_2_01482D50
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_014820207_2_01482020
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_014826187_2_01482618
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0148BAA87_2_0148BAA8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01489DB87_2_01489DB8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150D5407_2_0150D540
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01505DC07_2_01505DC0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015030487_2_01503048
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015000607_2_01500060
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015094207_2_01509420
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150A0C87_2_0150A0C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150BB607_2_0150BB60
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150F3A27_2_0150F3A2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150DDC07_2_0150DDC0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015094107_2_01509410
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015076507_2_01507650
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015076407_2_01507640
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015247607_2_01524760
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015227C87_2_015227C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01528F907_2_01528F90
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015223807_2_01522380
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152AEE87_2_0152AEE8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015231797_2_01523179
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015235087_2_01523508
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015235387_2_01523538
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015269C07_2_015269C0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152E9F87_2_0152E9F8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015231B27_2_015231B2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015240D07_2_015240D0
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015234C37_2_015234C3
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233597_2_01523359
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233067_2_01523306
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152333E7_2_0152333E
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233E27_2_015233E2
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015233AB7_2_015233AB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232447_2_01523244
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232647_2_01523264
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0152320B7_2_0152320B
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232EB7_2_015232EB
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_015232B57_2_015232B5
                    Source: Swift_Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: LkUhukiIiawSEs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Swift_Copy.exe, 00000000.00000000.638991575.00000000004AC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.684426291.000000000E630000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.685071132.000000000E730000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.685071132.000000000E730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.683468059.0000000007070000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000000.00000002.683391733.0000000006EC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907247628.0000000001540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907099741.0000000001490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.906853679.000000000137A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.905949395.0000000000CCC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                    Source: Swift_Copy.exe, 00000007.00000002.907190417.0000000001510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Swift_Copy.exe
                    Source: Swift_Copy.exeBinary or memory string: OriginalFilenamecDisplayClass130.exeD vs Swift_Copy.exe
                    Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: LkUhukiIiawSEs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeMutant created: \Sessions\1\BaseNamedObjects\WeWuAmKiSTyv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA681.tmpJump to behavior
                    Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Swift_Copy.exe 'C:\Users\user\Desktop\Swift_Copy.exe'
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exe
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Swift_Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 0_2_00405683 push es; retf 0_2_00405684
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C3853F push dword ptr [esi+3Fh]; iretd 7_2_00C38551
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_00C392AB push FFFFFFD9h; iretd 7_2_00C392C8
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_01487A37 push edi; retn 0000h7_2_01487A39
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150DD70 push E40110C3h; ret 7_2_0150DDB9
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56757034965
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.56757034965
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'
                    Source: C:\Users\user\Desktop\Swift_Copy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7136, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWindow / User API: threadDelayed 3235Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWindow / User API: threadDelayed 6577Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7140Thread sleep time: -102645s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 3976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6356Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 4792Thread sleep count: 3235 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 4792Thread sleep count: 6577 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6356Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 102645Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Swift_Copy.exe, 00000007.00000002.907020522.0000000001435000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls+
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: Swift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0150DB30 LdrInitializeThunk,7_2_0150DB30
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeMemory written: C:\Users\user\Desktop\Swift_Copy.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                    Source: Swift_Copy.exe, 00000007.00000002.907301364.0000000001900000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: Swift_Copy.exe, 00000007.00000002.907301364.0000000001900000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: Swift_Copy.exe, 00000007.00000002.907301364.0000000001900000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: Swift_Copy.exe, 00000007.00000002.907301364.0000000001900000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Users\user\Desktop\Swift_Copy.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Users\user\Desktop\Swift_Copy.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679021460.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7084, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7136, type: MEMORY
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3998308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Swift_Copy.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3998308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3ac7e48.3.raw.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7084, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679021460.000000000388C000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7084, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7136, type: MEMORY
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3998308.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Swift_Copy.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3998308.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Swift_Copy.exe.3ac7e48.3.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1Credentials in Registry1Security Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 383913 Sample: Swift_Copy.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Sigma detected: Scheduled temp file as task from temp location 2->31 33 Yara detected AgentTesla 2->33 35 4 other signatures 2->35 7 Swift_Copy.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\LkUhukiIiawSEs.exe, PE32 7->19 dropped 21 C:\...\LkUhukiIiawSEs.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpA681.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\Swift_Copy.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 Swift_Copy.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49763, 587 YANDEXRU Russian Federation 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Swift_Copy.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.Swift_Copy.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.carterandcone.comcin0%Avira URL Cloudsafe
                    http://www.carterandcone.comilyQWp0%Avira URL Cloudsafe
                    http://www.carterandcone.comams0%Avira URL Cloudsafe
                    http://www.sandoll.co.kra-d0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    https://4NZrCGMkBwFxC.org0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://subca.ocsp-certum.com0.0%URL Reputationsafe
                    http://subca.ocsp-certum.com0.0%URL Reputationsafe
                    http://subca.ocsp-certum.com0.0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://subca.ocsp-certum.com010%URL Reputationsafe
                    http://subca.ocsp-certum.com010%URL Reputationsafe
                    http://subca.ocsp-certum.com010%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://www.founder.com.cn/cnh0%Avira URL Cloudsafe
                    http://www.carterandcone.comM0%Avira URL Cloudsafe
                    http://www.fontbureau.come.comg0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.carterandcone.compe0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.founder.com.cn/cnTC0%Avira URL Cloudsafe
                    http://www.fontbureau.comaC0%Avira URL Cloudsafe
                    http://www.goodfont.co.krK0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/A0%Avira URL Cloudsafe
                    http://www.fontbureau.come.com0%URL Reputationsafe
                    http://www.fontbureau.come.com0%URL Reputationsafe
                    http://www.fontbureau.come.com0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.goodfont.co.kr-d50%Avira URL Cloudsafe
                    https://api.ipify.org%$0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://yandex.ocsp-responder.com030%URL Reputationsafe
                    http://yandex.ocsp-responder.com030%URL Reputationsafe
                    http://yandex.ocsp-responder.com030%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.carterandcone.comX.0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.carterandcone.comitsUPt0%Avira URL Cloudsafe
                    http://Mjyucn.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.yandex.ru
                    77.88.21.158
                    truefalse
                      high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersGSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designers/?Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bTheSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.carterandcone.comcinSwift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.carterandcone.comilyQWpSwift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                            high
                            https://dist.nuget.org/win-x86-commandline/latest/nuget.exeSwift_Copy.exefalse
                              high
                              http://www.carterandcone.comamsSwift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://yandex.crl.certum.pl/ycasha2.crl0qSwift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                high
                                http://www.sandoll.co.kra-dSwift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.tiro.comSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comSwift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://4NZrCGMkBwFxC.orgSwift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.908373362.0000000003439000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSwift_Copy.exe, 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.sajatypeworks.comSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://subca.ocsp-certum.com0.Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://repository.certum.pl/ca.cer09Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/cTheSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://subca.ocsp-certum.com01Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleaseSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://api.ipify.org%GETMozilla/5.0Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      low
                                      https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipSwift_Copy.exefalse
                                        high
                                        http://www.fonts.comSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleaseSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSwift_Copy.exe, 00000000.00000002.678282879.0000000002881000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sakkal.comSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSwift_Copy.exe, 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.certum.pl/CPS0Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.founder.com.cn/cnhSwift_Copy.exe, 00000000.00000003.643240184.00000000058D9000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.carterandcone.comMSwift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://repository.certum.pl/ycasha2.cer0Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.come.comgSwift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.apache.org/licenses/LICENSE-2.0Swift_Copy.exe, 00000000.00000003.643926524.0000000000E4B000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.fontbureau.comSwift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpfalse
                                                    high
                                                    http://www.galapagosdesign.com/Swift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://DynDns.comDynDNSSwift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.carterandcone.compeSwift_Copy.exe, 00000000.00000003.645067834.00000000058DF000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://repository.certum.pl/ctnca.cer09Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSwift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://crl.certum.pl/ctnca.crl0kSwift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://github.com/d-haxton/HaxtonBot/archive/master.zipSwift_Copy.exefalse
                                                          high
                                                          http://www.founder.com.cn/cnTCSwift_Copy.exe, 00000000.00000003.643329522.0000000000E4B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.fontbureau.comaCSwift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.goodfont.co.krKSwift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.galapagosdesign.com/ASwift_Copy.exe, 00000000.00000003.650192233.0000000005915000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://www.certum.pl/CPS0Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.fontbureau.come.comSwift_Copy.exe, 00000000.00000002.677842302.0000000000E40000.00000004.00000040.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://en.wSwift_Copy.exe, 00000000.00000003.642112108.00000000058DC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.goodfont.co.kr-d5Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://api.ipify.org%$Swift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            low
                                                            http://www.carterandcone.comlSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmp, Swift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://yandex.ocsp-responder.com03Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.founder.com.cn/cn/Swift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.carterandcone.comX.Swift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.founder.com.cn/cnSwift_Copy.exe, 00000000.00000003.643261904.0000000000E4B000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlSwift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.carterandcone.comitsUPtSwift_Copy.exe, 00000000.00000003.644951493.00000000058DF000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://Mjyucn.comSwift_Copy.exe, 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://crls.yandex.net/certum/ycasha2.crl0-Swift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://www.monotype.Swift_Copy.exe, 00000000.00000003.650087675.0000000005915000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.founder.com.cn/cn8Swift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.jiyu-kobo.co.jp/Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://www.sandoll.co.krimSwift_Copy.exe, 00000000.00000003.642828172.00000000058D6000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.fontbureau.com/designers8Swift_Copy.exe, 00000000.00000002.683168352.0000000006AE2000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://crl.certum.pl/ca.crl0hSwift_Copy.exe, 00000007.00000002.908294055.000000000340F000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      http://www.founder.com.cn/cnbySwift_Copy.exe, 00000000.00000003.643087619.00000000058D8000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.carterandcone.comonSwift_Copy.exe, 00000000.00000003.644513709.00000000058D2000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.founder.com.cn/cn/1Swift_Copy.exe, 00000000.00000003.642823074.000000000590D000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      77.88.21.158
                                                                      smtp.yandex.ruRussian Federation
                                                                      13238YANDEXRUfalse

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:383913
                                                                      Start date:08.04.2021
                                                                      Start time:12:21:09
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 8s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:Swift_Copy.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:22
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/4@1/1
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 0.1% (good quality ratio 0%)
                                                                      • Quality average: 28%
                                                                      • Quality standard deviation: 39.6%
                                                                      HCA Information:
                                                                      • Successful, ratio: 100%
                                                                      • Number of executed functions: 115
                                                                      • Number of non-executed functions: 15
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 104.42.151.234, 23.54.113.53, 13.88.21.125, 168.61.161.212, 20.82.210.154, 23.10.249.26, 23.10.249.43, 52.147.198.201, 52.155.217.156, 67.26.137.254, 8.241.79.126, 8.241.79.254, 67.26.81.254, 8.241.83.126, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383913/sample/Swift_Copy.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      12:22:01API Interceptor585x Sleep call for process: Swift_Copy.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      77.88.21.158C6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                        RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                          AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                            SWIFT.exeGet hashmaliciousBrowse
                                                                              Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                  SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                    Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                      Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                        RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                          TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                            Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                  RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                    Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                        Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                          PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                                                            kfMrlKSN4F.exeGet hashmaliciousBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              smtp.yandex.ruC6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SWIFT.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              cricket.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              PO#ZA3MMA_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              kfMrlKSN4F.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158

                                                                                                              ASN

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              YANDEXRUC6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SWIFT.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              cricket.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              _VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                                                                                                              • 77.88.21.179
                                                                                                              Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              RFQ#ZAEL67012_doc.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Q99Eljz7IT.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              SecuriteInfo.com.Trojan.PackedNET.576.12750.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                                                                              • 77.88.21.158
                                                                                                              scan-100218.docmGet hashmaliciousBrowse
                                                                                                              • 93.158.134.119

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift_Copy.exe.log
                                                                                                              Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):1314
                                                                                                              Entropy (8bit):5.350128552078965
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                              Malicious:true
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                              C:\Users\user\AppData\Local\Temp\tmpA681.tmp
                                                                                                              Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1647
                                                                                                              Entropy (8bit):5.178072543711801
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG+tn:cbhK79lNQR/rydbz9I3YODOLNdq3n
                                                                                                              MD5:7DFC789BAB5870A7ECBEAFA515B8C1AA
                                                                                                              SHA1:B6C823E4BEECB4FC0F8BD33704338632C4C6CADF
                                                                                                              SHA-256:520ED5A6C60042B539D16AC98F262A46DB1FDC81BAB2E09E80C9470D8ACB6915
                                                                                                              SHA-512:16471327B9D67C80F6C2696F7B0DAC0CF25F4136A7C910F6FEAD669D57A944A7B3FDDFAB18FDF75D912E786E8A3911389641D2867DC40F11087EC893A80F5EEC
                                                                                                              Malicious:true
                                                                                                              Reputation:low
                                                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                                              C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exe
                                                                                                              Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):903680
                                                                                                              Entropy (8bit):7.229491275296957
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:c5xIIK2eESixf0BN7gCfwCDLcGDrGplpUQYcUYusIKUvE+:c5iIVZM7gCfwCDLcGnMlpUQvU0Ic
                                                                                                              MD5:C53851F4F5DA5EBAF1F67D3AB518478F
                                                                                                              SHA1:AE74EADCB41C8662FC0EC8319BD8FDAABCF68631
                                                                                                              SHA-256:96259C3B83002E4A46A66A27F0F8510C96359055BD7D9C1F8A723A1F21D71C9C
                                                                                                              SHA-512:6917BFDC751283ED2E0D16D694E762209E1F1E9E1963D25EA066A318D2C760DCCE7F1348FBEA9F10427C7FAD2777D77708F858954FBF4CE558566FC8DF8A154C
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              Reputation:low
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P......F......F.... ........@.. .......................@............@.....................................O.......<B................... ....................................................... ............... ..H............text...L.... ...................... ..`.rsrc...<B.......D..................@..@.reloc....... ......................@..B................(.......H........?..|H...........................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....ol...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                                              C:\Users\user\AppData\Roaming\LkUhukiIiawSEs.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Reputation:high, very likely benign file
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):7.229491275296957
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                              File name:Swift_Copy.exe
                                                                                                              File size:903680
                                                                                                              MD5:c53851f4f5da5ebaf1f67d3ab518478f
                                                                                                              SHA1:ae74eadcb41c8662fc0ec8319bd8fdaabcf68631
                                                                                                              SHA256:96259c3b83002e4a46a66a27f0f8510c96359055bd7d9c1f8a723a1f21d71c9c
                                                                                                              SHA512:6917bfdc751283ed2e0d16d694e762209e1f1e9e1963d25ea066a318d2c760dcce7f1348fbea9f10427c7fad2777d77708f858954fbf4ce558566fc8df8a154c
                                                                                                              SSDEEP:12288:c5xIIK2eESixf0BN7gCfwCDLcGDrGplpUQYcUYusIKUvE+:c5iIVZM7gCfwCDLcGnMlpUQvU0Ic
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n`..............P......F......F.... ........@.. .......................@............@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:e8d4ae708e8ec461

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x4aa046
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0x606EBC89 [Thu Apr 8 08:19:21 2021 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa9ff40x4f.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x3423c.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000xa804c0xa8200False0.792524395911data7.56757034965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xac0000x3423c0x34400False0.389924117823data5.7618899933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xe20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_ICON0xac2200x521ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0xb14500x6f5aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0xb83bc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                              RT_ICON0xc8bf40x94a8data
                                                                                                              RT_ICON0xd20ac0x5488data
                                                                                                              RT_ICON0xd75440x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 15794175, next used block 4294902528
                                                                                                              RT_ICON0xdb77c0x25a8data
                                                                                                              RT_ICON0xddd340x10a8data
                                                                                                              RT_ICON0xdedec0x988data
                                                                                                              RT_ICON0xdf7840x468GLS_BINARY_LSB_FIRST
                                                                                                              RT_GROUP_ICON0xdfbfc0x92data
                                                                                                              RT_VERSION0xdfca00x39adata
                                                                                                              RT_MANIFEST0xe004c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              Translation0x0000 0x04b0
                                                                                                              LegalCopyrightCopyright 2016 Computer City
                                                                                                              Assembly Version1.12.0.2
                                                                                                              InternalNamecDisplayClass130.exe
                                                                                                              FileVersion1.12.0.2
                                                                                                              CompanyNameComputer City
                                                                                                              LegalTrademarks
                                                                                                              Comments
                                                                                                              ProductNameUnmanagedAccessor
                                                                                                              ProductVersion1.12.0.2
                                                                                                              FileDescriptionUnmanagedAccessor
                                                                                                              OriginalFilenamecDisplayClass130.exe

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 8, 2021 12:23:58.041680098 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.099801064 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.100040913 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.353423119 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.353864908 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.411636114 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.411648035 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.411887884 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.469594002 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.475990057 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.535142899 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.535176992 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.535213947 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.535240889 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.535269022 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.535346985 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.609344959 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.667721987 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.677011013 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.735066891 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.736507893 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.794429064 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.795034885 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.865326881 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.867058039 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.932322025 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.932701111 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:58.997612000 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:58.997934103 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:59.055736065 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:59.057060003 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:59.057151079 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:59.057636023 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:59.057687044 CEST49763587192.168.2.477.88.21.158
                                                                                                              Apr 8, 2021 12:23:59.114989996 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:59.115214109 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:59.400861025 CEST5874976377.88.21.158192.168.2.4
                                                                                                              Apr 8, 2021 12:23:59.443780899 CEST49763587192.168.2.477.88.21.158

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 8, 2021 12:21:47.742922068 CEST6529853192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:47.756732941 CEST53652988.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:48.719182968 CEST5912353192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:48.732099056 CEST53591238.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:49.875911951 CEST5453153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:49.895128012 CEST53545318.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:53.034893990 CEST4971453192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:53.047385931 CEST53497148.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:55.114769936 CEST5802853192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:55.128500938 CEST53580288.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:57.510119915 CEST5309753192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:57.524636984 CEST53530978.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:58.735425949 CEST4925753192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:58.748795033 CEST53492578.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:21:59.775126934 CEST6238953192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:21:59.789417028 CEST53623898.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:01.397228956 CEST4991053192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:01.410495043 CEST53499108.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:02.648850918 CEST5585453192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:02.661752939 CEST53558548.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:03.718369961 CEST6454953192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:03.731659889 CEST53645498.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:04.478425980 CEST6315353192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:04.492069960 CEST53631538.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:20.648390055 CEST5299153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:20.680823088 CEST53529918.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:26.282650948 CEST5370053192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:26.300497055 CEST53537008.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:38.685192108 CEST5172653192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:38.698301077 CEST53517268.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:41.482140064 CEST5679453192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:41.610424042 CEST53567948.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:42.146550894 CEST5653453192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:42.296077013 CEST53565348.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:42.636843920 CEST5662753192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:42.650361061 CEST53566278.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:42.751780033 CEST5662153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:42.866568089 CEST53566218.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:43.269433022 CEST6311653192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:43.283256054 CEST53631168.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:43.402292013 CEST6407853192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:43.428522110 CEST53640788.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:43.761013031 CEST6480153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:43.774023056 CEST53648018.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:44.323548079 CEST6172153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:44.337105989 CEST53617218.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:48.264029026 CEST5125553192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:48.277503967 CEST53512558.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:48.895790100 CEST6152253192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:48.916563988 CEST53615228.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:49.729801893 CEST5233753192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:49.743071079 CEST53523378.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:50.046509027 CEST5504653192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:50.059257984 CEST53550468.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:55.635423899 CEST4961253192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:55.647454023 CEST53496128.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:55.850485086 CEST4928553192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:55.863533020 CEST53492858.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:22:59.129812956 CEST5060153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:22:59.148533106 CEST53506018.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:03.858032942 CEST6087553192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:03.870542049 CEST53608758.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:04.653920889 CEST5644853192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:04.666604996 CEST53564488.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:08.359661102 CEST5917253192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:08.371952057 CEST53591728.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:09.570799112 CEST6242053192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:09.583554983 CEST53624208.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:10.660505056 CEST6057953192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:10.672894955 CEST53605798.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:11.406835079 CEST5018353192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:11.419249058 CEST53501838.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:30.486095905 CEST6153153192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:30.512639046 CEST53615318.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:31.898808002 CEST4922853192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:31.925570011 CEST53492288.8.8.8192.168.2.4
                                                                                                              Apr 8, 2021 12:23:57.879673004 CEST5979453192.168.2.48.8.8.8
                                                                                                              Apr 8, 2021 12:23:57.894603968 CEST53597948.8.8.8192.168.2.4

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Apr 8, 2021 12:23:57.879673004 CEST192.168.2.48.8.8.80x4048Standard query (0)smtp.yandex.ruA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Apr 8, 2021 12:23:57.894603968 CEST8.8.8.8192.168.2.40x4048No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                              SMTP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                              Apr 8, 2021 12:23:58.353423119 CEST5874976377.88.21.158192.168.2.4220 vla5-047c0c0d12a6.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                              Apr 8, 2021 12:23:58.353864908 CEST49763587192.168.2.477.88.21.158EHLO 585948
                                                                                                              Apr 8, 2021 12:23:58.411648035 CEST5874976377.88.21.158192.168.2.4250-vla5-047c0c0d12a6.qloud-c.yandex.net
                                                                                                              250-8BITMIME
                                                                                                              250-PIPELINING
                                                                                                              250-SIZE 42991616
                                                                                                              250-STARTTLS
                                                                                                              250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                              250-DSN
                                                                                                              250 ENHANCEDSTATUSCODES
                                                                                                              Apr 8, 2021 12:23:58.411887884 CEST49763587192.168.2.477.88.21.158STARTTLS
                                                                                                              Apr 8, 2021 12:23:58.469594002 CEST5874976377.88.21.158192.168.2.4220 Go ahead

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              General

                                                                                                              Start time:12:21:53
                                                                                                              Start date:08/04/2021
                                                                                                              Path:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Swift_Copy.exe'
                                                                                                              Imagebase:0x400000
                                                                                                              File size:903680 bytes
                                                                                                              MD5 hash:C53851F4F5DA5EBAF1F67D3AB518478F
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.678432365.00000000028D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.679327562.0000000003AA4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.679021460.000000000388C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              General

                                                                                                              Start time:12:22:07
                                                                                                              Start date:08/04/2021
                                                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LkUhukiIiawSEs' /XML 'C:\Users\user\AppData\Local\Temp\tmpA681.tmp'
                                                                                                              Imagebase:0x360000
                                                                                                              File size:185856 bytes
                                                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              General

                                                                                                              Start time:12:22:07
                                                                                                              Start date:08/04/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff724c50000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              General

                                                                                                              Start time:12:22:08
                                                                                                              Start date:08/04/2021
                                                                                                              Path:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                              Imagebase:0xc20000
                                                                                                              File size:903680 bytes
                                                                                                              MD5 hash:C53851F4F5DA5EBAF1F67D3AB518478F
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.905753337.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.907725055.00000000030A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              Reputation:low

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >

                                                                                                                Executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: 3033c9c33de146bcc848de24c020c38dfb07c68f958a6e93ce1e946f2eb1825c
                                                                                                                • Instruction ID: f3c4d37dce7d0d277233db5077a3946504df724f53743bce5e330c792dd998a1
                                                                                                                • Opcode Fuzzy Hash: 3033c9c33de146bcc848de24c020c38dfb07c68f958a6e93ce1e946f2eb1825c
                                                                                                                • Instruction Fuzzy Hash: CD911671D05629CBDB68CF66C844BDDFBB2AF88300F14C5AAD90AB7254EB705A85CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: x0C$x0C$x#l
                                                                                                                • API String ID: 0-1586565900
                                                                                                                • Opcode ID: 7db1f6d5768bb2174154127e18880818ff6a9947a4010758bbf99fb071acebd4
                                                                                                                • Instruction ID: 4dbf6476409ca026c1ee75cae14fffdb4f48492487a102bc0fb6805d89c4344a
                                                                                                                • Opcode Fuzzy Hash: 7db1f6d5768bb2174154127e18880818ff6a9947a4010758bbf99fb071acebd4
                                                                                                                • Instruction Fuzzy Hash: 98913774D18228DFCB14DFA4E98969DFBB1FF49300F209569E80AAB395DB349942CF10
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: 4653b3b487d67a8750ea283aef2fd5ab306bc81a7de1d0fce0f177e8fa963d5a
                                                                                                                • Instruction ID: 4ddce3bcc041f07813a83bf81c0c90c1b3d9ef4045d46389970d30471d53f911
                                                                                                                • Opcode Fuzzy Hash: 4653b3b487d67a8750ea283aef2fd5ab306bc81a7de1d0fce0f177e8fa963d5a
                                                                                                                • Instruction Fuzzy Hash: EA811471E0062ACBDB28CF66C844B9EF7B2BF88300F14C5EAD509A7254EB345A95CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: 342e454dc5492dbcad240b3c21736e81bc18ae032424ee0b1b4385f322279058
                                                                                                                • Instruction ID: 76cd44bd09fc1df8b95fc567e89cb3ae7232038be5d9f79ca7cfc4a6302524a5
                                                                                                                • Opcode Fuzzy Hash: 342e454dc5492dbcad240b3c21736e81bc18ae032424ee0b1b4385f322279058
                                                                                                                • Instruction Fuzzy Hash: FB611270D1022ACADB68CF65D840BEEF7B2BB88300F1085EAD50AA7650EB705AD5CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: 159786346ee97f6532c30b96720e602c2f8f3f28e01292c063bbb3593d45dc83
                                                                                                                • Instruction ID: a94f131b9817810ec9f6f1775b518f923d2b5967ce812940269123ecded72954
                                                                                                                • Opcode Fuzzy Hash: 159786346ee97f6532c30b96720e602c2f8f3f28e01292c063bbb3593d45dc83
                                                                                                                • Instruction Fuzzy Hash: 5D611270E0022ACECB68CF65D844BEDB7B2BF88300F1095EAD50AA7640EB745AD5CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: 0c1233f701b10f5f57909cc500369f91bdeaf84645deec81e446a2343dbf8e50
                                                                                                                • Instruction ID: 2ae8866b1d72dc5baa9cd17e00f167c7d5cbd8cc094dd94b1800ce074807cb36
                                                                                                                • Opcode Fuzzy Hash: 0c1233f701b10f5f57909cc500369f91bdeaf84645deec81e446a2343dbf8e50
                                                                                                                • Instruction Fuzzy Hash: B5511370E5026ACEDB68CF65C844BEDB7B2BF88300F1095E6D50AA7640EB705AD5CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: 2qFk$zn$zn
                                                                                                                • API String ID: 0-745833352
                                                                                                                • Opcode ID: ade670733cf729f4711e05bd1bb3e04b2fd35e2c5889c53c115e80b70182b005
                                                                                                                • Instruction ID: 6a42160f3174bd8d3d48fd42baea9af62c009e766bc3c9a05a8d5ed6f3d6475d
                                                                                                                • Opcode Fuzzy Hash: ade670733cf729f4711e05bd1bb3e04b2fd35e2c5889c53c115e80b70182b005
                                                                                                                • Instruction Fuzzy Hash: 9F511370E5026ACEDB68CF65C844BEDB7B2BF88300F1095E6D50AA7640EB705AD5CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `8D/
                                                                                                                • API String ID: 0-266218351
                                                                                                                • Opcode ID: 0fad59b1cdacdfc4ea47ed8297bae416d2bb7a16b233cf37c215529080f2da2b
                                                                                                                • Instruction ID: 4d7fba694446d6242b744434ca42ea15997a061eedb0d41f54ad7a6ebb82df48
                                                                                                                • Opcode Fuzzy Hash: 0fad59b1cdacdfc4ea47ed8297bae416d2bb7a16b233cf37c215529080f2da2b
                                                                                                                • Instruction Fuzzy Hash: 10D1F671E152189FDB08CFA4E945A9DFBB6BF89300F209469E805BB394DB749D42CF18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `8D/
                                                                                                                • API String ID: 0-266218351
                                                                                                                • Opcode ID: e30f53dad8a994c5f0ec1511c7790554946cfcdcf6596ed8cf3910665b777b8c
                                                                                                                • Instruction ID: 8892efc1ff73cbccea64486d6e23605374453a25fd71e0114df49b592667f301
                                                                                                                • Opcode Fuzzy Hash: e30f53dad8a994c5f0ec1511c7790554946cfcdcf6596ed8cf3910665b777b8c
                                                                                                                • Instruction Fuzzy Hash: EFD1F575E152189FDB08CFA4E945A9DBBB2BF89300F209469E805BB394DB749D42CF18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Ykp9
                                                                                                                • API String ID: 0-2751023627
                                                                                                                • Opcode ID: afd54488db7dce09d312a1baba026689744c1e175a8428f4205d303b1b3ef62c
                                                                                                                • Instruction ID: 5eb7791c732b953488ff98d2cb65a50869f406272d6811eda8389e9e2467afb0
                                                                                                                • Opcode Fuzzy Hash: afd54488db7dce09d312a1baba026689744c1e175a8428f4205d303b1b3ef62c
                                                                                                                • Instruction Fuzzy Hash: CF717E74E19269DFCB18CFA4D9806ADFBB2FF49350F10A51AD806B7644D7349982CF08
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 17263add1a37ec5dc49bc175f51916eef9109d611f51ea68130d8f356a990aa6
                                                                                                                • Instruction ID: 84cdb74bf0aed18e5c7993e394d7f7dd4662e71c2fa72cede6fdc596181e352a
                                                                                                                • Opcode Fuzzy Hash: 17263add1a37ec5dc49bc175f51916eef9109d611f51ea68130d8f356a990aa6
                                                                                                                • Instruction Fuzzy Hash: 95527631A04619CFDB54CF68C884BAAB7B2FF45304F1584A9EA19AB361D770F985CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb2369c80080b775a87aebb82ea22e7daeaffb7f011dab670d550455ab2cbc85
                                                                                                                • Instruction ID: 3a27621c10e3a17c04530d12a8ab3ba5fd8a1f8b6afdd929bdaf4dac4d099228
                                                                                                                • Opcode Fuzzy Hash: fb2369c80080b775a87aebb82ea22e7daeaffb7f011dab670d550455ab2cbc85
                                                                                                                • Instruction Fuzzy Hash: B9D1CB71B003608FDB69DBB5C4507AEB7E7AF88304F14856DDA468B394DB35E901CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a88ee03c8fbbb87cf7eec0c814cf9caf9ca8a84def1b1e7d60123ec9f98f9fc4
                                                                                                                • Instruction ID: 6b7b12532546e2d230cbbf245fb77917bfb6fc164e06400ed828235e5e4d72f6
                                                                                                                • Opcode Fuzzy Hash: a88ee03c8fbbb87cf7eec0c814cf9caf9ca8a84def1b1e7d60123ec9f98f9fc4
                                                                                                                • Instruction Fuzzy Hash: C1A12A74E052198FDB08CFA9C58069EFBF2BF8A314F24C165D819AB358E7349D42CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 52f2b2436a5c1a67f52758519b8b42d5bd1c6acc5f61abc015b833b4d73dc6b7
                                                                                                                • Instruction ID: a981f06869030dc5c9d4fdf9b8e6e57f4a7d3bfee7dff6a5203cc821c3614459
                                                                                                                • Opcode Fuzzy Hash: 52f2b2436a5c1a67f52758519b8b42d5bd1c6acc5f61abc015b833b4d73dc6b7
                                                                                                                • Instruction Fuzzy Hash: 09A13B74E052198FDB08CFA9C58069EFBF2BF8A314F24C165D819AB358E7349D42CB65
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3d8515fad1e6a047895daec8840ac57f1b8cc19436edd5fc25da771e02520e86
                                                                                                                • Instruction ID: bcf4a02393c7f1651c4b1c92c60b2e12f263b337a7da0386556ab0b17eca412b
                                                                                                                • Opcode Fuzzy Hash: 3d8515fad1e6a047895daec8840ac57f1b8cc19436edd5fc25da771e02520e86
                                                                                                                • Instruction Fuzzy Hash: FC918B74E04329CFCB04DBA4C8549EDB7BAFF89304F158619E506AB7A0EB34A945CF60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: da6c769fe0bb8fa263963bb335dc060024e2c40ebd04609e2fff6422a14f47e0
                                                                                                                • Instruction ID: b6fffd599e0ac1f09cb7647a984434fc15c1716db08642451a027b8623556ab7
                                                                                                                • Opcode Fuzzy Hash: da6c769fe0bb8fa263963bb335dc060024e2c40ebd04609e2fff6422a14f47e0
                                                                                                                • Instruction Fuzzy Hash: DA817C39E003198FCB04DBA4D8549DDB7BAFF89314B158619E505AB7A0EB34A985CF60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 54e45295f92566a549448bdf094be4a1113be1dc1b55fea6205e21137ac4e551
                                                                                                                • Instruction ID: 39c157f94f3384c4675e4ec09bb87e81a48cf3cac0716a6b370d8161f3ebd13d
                                                                                                                • Opcode Fuzzy Hash: 54e45295f92566a549448bdf094be4a1113be1dc1b55fea6205e21137ac4e551
                                                                                                                • Instruction Fuzzy Hash: CD810574E152599FCB08DFA5E89559EBBB2FF89300F20846AE815BB3A4DB345902CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2c0bbfd12345b848ea0b25071e2399e65e83511a9522219ab03cfca0b9300149
                                                                                                                • Instruction ID: 41dc920444874cf8a5fc99d91c32a20b811066d811342534a71ebe0210d65745
                                                                                                                • Opcode Fuzzy Hash: 2c0bbfd12345b848ea0b25071e2399e65e83511a9522219ab03cfca0b9300149
                                                                                                                • Instruction Fuzzy Hash: AF81E574E152599FCB08DFA5E8955AEBBB2FF89300F20842AE816B7364DB745902CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0ceb97182d4f5ffc66740f485bf3188ed6a52a58154fc5edf7e80f5648bf5ea3
                                                                                                                • Instruction ID: 1552f87486bf0181c2a68f999423dfd720a95892f322f35485f3ce69b420caf7
                                                                                                                • Opcode Fuzzy Hash: 0ceb97182d4f5ffc66740f485bf3188ed6a52a58154fc5edf7e80f5648bf5ea3
                                                                                                                • Instruction Fuzzy Hash: 24812574D14228DFCB18DFA4E989A9DBBB2FF4D300F209569E80AA7395DB349941CF14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5f71693573f460549986fc5255e9fe990fc31f5afea3dc980c405830508cc860
                                                                                                                • Instruction ID: 7c84da6496824c26227558cfbb0e484dccf655c14bc899aeb31097c7e413c7d7
                                                                                                                • Opcode Fuzzy Hash: 5f71693573f460549986fc5255e9fe990fc31f5afea3dc980c405830508cc860
                                                                                                                • Instruction Fuzzy Hash: 12512B71E192299BCB08CFA5D9885DDFBF6FFCD210F54942AD406B7264DB349902CB28
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c8a99a8687a45d24170bb8f83a08ae6b1feb85241d77a7873ff89fa6898329ec
                                                                                                                • Instruction ID: 4d1861e32fcdde8e82d720032ee9df4e80ed1d00f2e1e1714288565c05b17e98
                                                                                                                • Opcode Fuzzy Hash: c8a99a8687a45d24170bb8f83a08ae6b1feb85241d77a7873ff89fa6898329ec
                                                                                                                • Instruction Fuzzy Hash: 58511871E192199BCB08CFA5D9885DDBBF2BFCD210F54A42AD406B7264DB3499028B28
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b4bf45c1173cc4d1f5a2e71787b9f6a1aca8cd72be3da2be0ae00816dbe98989
                                                                                                                • Instruction ID: dd7871975b82f25510bdc9b8c6c0e9db0142b192aa04285f8aa2ab6e3b809a6c
                                                                                                                • Opcode Fuzzy Hash: b4bf45c1173cc4d1f5a2e71787b9f6a1aca8cd72be3da2be0ae00816dbe98989
                                                                                                                • Instruction Fuzzy Hash: 7A115830C04269CFDB059FA5C408BEEBBF0BB4A315F18916AD842B7291C7388944CB78
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 673bfbe37a636b4f67f1827efd4942c807c0c1b53eb0a5fec1075b2f88d13036
                                                                                                                • Instruction ID: 951ac076b973f5bf4c78a1c4a5201fed23c9095db14e443488ecbd5b6038ef89
                                                                                                                • Opcode Fuzzy Hash: 673bfbe37a636b4f67f1827efd4942c807c0c1b53eb0a5fec1075b2f88d13036
                                                                                                                • Instruction Fuzzy Hash: 2A111530D04229CFDB18CFA5C818BEEBAF1AB4E305F14916AD845B3291DB788944CB78
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c69dc3cafb88f5a64d0e5f36cd3f331c1cdb88d557de239db72b696c5f57d7c2
                                                                                                                • Instruction ID: aca756ba8f4cb5c9913629f952fea96992879d69b33b318885aad0c1757b1424
                                                                                                                • Opcode Fuzzy Hash: c69dc3cafb88f5a64d0e5f36cd3f331c1cdb88d557de239db72b696c5f57d7c2
                                                                                                                • Instruction Fuzzy Hash: 30E06861C4C2AA8FD3004FE4C810BBABFB0FB1B202F0042CBC442F7251D3688902D724
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0265452E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 963392458-0
                                                                                                                • Opcode ID: da5494fc8063c86d8b51177c347f373a504f402cc7b140a2a6eca305048b9a40
                                                                                                                • Instruction ID: 72856b98b196a11dba913bbc25ea7fea3ff41168835f4f6d40dc4394ec0fcdfd
                                                                                                                • Opcode Fuzzy Hash: da5494fc8063c86d8b51177c347f373a504f402cc7b140a2a6eca305048b9a40
                                                                                                                • Instruction Fuzzy Hash: 6AA13A71D002298FDB10CFA5C8817EDBBB2FF48318F1585A9E859A7390DB749985CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0265452E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 963392458-0
                                                                                                                • Opcode ID: 6daf7478981e855cb0b84de484ab7081bfa2059dc376808373c567c6ba0d74a1
                                                                                                                • Instruction ID: 78ef38f30876d41fa64d348a0d802700af497ed980192094558aca02b2ec2d8b
                                                                                                                • Opcode Fuzzy Hash: 6daf7478981e855cb0b84de484ab7081bfa2059dc376808373c567c6ba0d74a1
                                                                                                                • Instruction Fuzzy Hash: 05912B71D002298FDF10CFA5C8817EEBBB2BF48314F1585A9E859A7390DB749985CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 027FBCA6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: a73ea92b9833f99a32d760ab69c4ca67bbbe57e7cca9bffd365b2b06078305d1
                                                                                                                • Instruction ID: 98b4c0f388114e18195c12767be6bd8f7732b79103c6bdb90a3f600ef06832ba
                                                                                                                • Opcode Fuzzy Hash: a73ea92b9833f99a32d760ab69c4ca67bbbe57e7cca9bffd365b2b06078305d1
                                                                                                                • Instruction Fuzzy Hash: B4812370A04B058FD764DF6AD44476ABBF2FF88218F008929D58AD7B40D774E906CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027FDC2A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: c95c2090dbae45558af2362955a5abc7a2ad23a17900ccb538758e6ec6a898b4
                                                                                                                • Instruction ID: 673685b9a9ab5b27096d43147fb7a43e40f141680532d8a533b74945945bc481
                                                                                                                • Opcode Fuzzy Hash: c95c2090dbae45558af2362955a5abc7a2ad23a17900ccb538758e6ec6a898b4
                                                                                                                • Instruction Fuzzy Hash: 6B5100B1D04349DFDB14CFA9C884ADEBBB1FF49314F24852AE509AB250D7749846CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027FDC2A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: 93332c817d4bb93873838062e88b2b67cbdcf15ec5a8b7a6b0e21046d13f9264
                                                                                                                • Instruction ID: 396a27a7f1f271d734a76589020df82108765746fa517561a23c14daf3355f1e
                                                                                                                • Opcode Fuzzy Hash: 93332c817d4bb93873838062e88b2b67cbdcf15ec5a8b7a6b0e21046d13f9264
                                                                                                                • Instruction Fuzzy Hash: 3D51B0B1D04309DFDB24CF9AC884ADEBBB5BF48314F24852AE919AB350D7749945CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027F7107
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: cb9c091f5f78b1fff480df366360498aaf9a6b4ce9ded2319022b85dec9ee631
                                                                                                                • Instruction ID: 88d6dc71738a0d3c815633e8d21f6d4089e2a608806187e9714c2c6d2574ee91
                                                                                                                • Opcode Fuzzy Hash: cb9c091f5f78b1fff480df366360498aaf9a6b4ce9ded2319022b85dec9ee631
                                                                                                                • Instruction Fuzzy Hash: EA414976900259AFCB01CF99D844AEEBFF5EF48310F15806AE944A7351D3359915DFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02653C1E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4275171209-0
                                                                                                                • Opcode ID: 5930ef3c98432e561b5a8d5d57ab242225b7bb4be7969596233805abcf57abad
                                                                                                                • Instruction ID: 3eec28d6116dddbbf47efc2eeebda5ee1f74a0151dd04d00dee5b96debf3fbc4
                                                                                                                • Opcode Fuzzy Hash: 5930ef3c98432e561b5a8d5d57ab242225b7bb4be7969596233805abcf57abad
                                                                                                                • Instruction Fuzzy Hash: D131EEB2C043989FCF12CFA4C4557DEBFF0AF49314F18889AD995AB602C3389961CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02653D00
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 3559483778-0
                                                                                                                • Opcode ID: ad0b76388c65dfe5ce29dee8392c0afd07d752a92c14354da780f84e54e31737
                                                                                                                • Instruction ID: f91c1cde217cbcf0bafc853feafebb2fd56887d1b5780600de3df6456f8cdfe4
                                                                                                                • Opcode Fuzzy Hash: ad0b76388c65dfe5ce29dee8392c0afd07d752a92c14354da780f84e54e31737
                                                                                                                • Instruction Fuzzy Hash: 1B2115B69003598FCB10CFA9C885BEEBBF1FF48354F15842AE958A7340D7789954CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02653D00
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                • String ID:
                                                                                                                • API String ID: 3559483778-0
                                                                                                                • Opcode ID: a5d008b8de1c6ad6b264f183632ffd8080b4233939478bd5db7d1dedf3579a1c
                                                                                                                • Instruction ID: 9335ccab6dab9ba1a0f794db3d3023001e54e385e38e98de2b2150374829f365
                                                                                                                • Opcode Fuzzy Hash: a5d008b8de1c6ad6b264f183632ffd8080b4233939478bd5db7d1dedf3579a1c
                                                                                                                • Instruction Fuzzy Hash: 152127B59003599FCB10CFA9C884BDEBBF5FF48354F108429E958A7340D7789954CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026541E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MemoryProcessRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 1726664587-0
                                                                                                                • Opcode ID: 3ac8ffc20a3d3deb70c17bc2410040d93fcb6253be743c1ed56cada095f9a5ad
                                                                                                                • Instruction ID: 908a124c8543c24f3c026069fededfbfdab769285244d7aad5280b53203f44e2
                                                                                                                • Opcode Fuzzy Hash: 3ac8ffc20a3d3deb70c17bc2410040d93fcb6253be743c1ed56cada095f9a5ad
                                                                                                                • Instruction Fuzzy Hash: 482136B6C003198FCB10CFA9C885BEEBBF1FF48314F15842AE958A7640C7389945CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 026534DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: ContextThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1591575202-0
                                                                                                                • Opcode ID: 7edbb644710f8ecb63e69ee2b13ea5964c6cb33600c1b8df64655b8478ec3c69
                                                                                                                • Instruction ID: dd87e07e6f81781a6589dcb923eb4b902fdde8770d08699c28c5b6087c3aaa0c
                                                                                                                • Opcode Fuzzy Hash: 7edbb644710f8ecb63e69ee2b13ea5964c6cb33600c1b8df64655b8478ec3c69
                                                                                                                • Instruction Fuzzy Hash: DD2138B5D003198FCB10CFA9C4857EEBBF4AF48268F15842AD959A7740CB789945CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 026541E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MemoryProcessRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 1726664587-0
                                                                                                                • Opcode ID: 2a1da58ef8d1577f7fa6c4024c49bd3bed995eb93955ec352ff55ce59ab1ac36
                                                                                                                • Instruction ID: 2fda4a3b26fa45c2d2b5284a29292fe91e27fcc59e1276916c8fa144f17c7220
                                                                                                                • Opcode Fuzzy Hash: 2a1da58ef8d1577f7fa6c4024c49bd3bed995eb93955ec352ff55ce59ab1ac36
                                                                                                                • Instruction Fuzzy Hash: 2A2116B59003599FCB10CFAAC884AEEBBB5FF48314F508429E958A7640CB389955CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 026534DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: ContextThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1591575202-0
                                                                                                                • Opcode ID: 266f5ac8e72c26f478608b077960067c3cdae1cf1107caf536d950b372fefb80
                                                                                                                • Instruction ID: a8d4b08c79eaa6013d73d1c47226b39a45984fb4eebe1c36b59071dbea13c799
                                                                                                                • Opcode Fuzzy Hash: 266f5ac8e72c26f478608b077960067c3cdae1cf1107caf536d950b372fefb80
                                                                                                                • Instruction Fuzzy Hash: D42135719003198FCB10CFAAC4847EEBBF4AF48268F14842AD959A7740CB78A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027F7107
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: beac3bef799fdd4e78cadca0420f938e25e58cd71b641a883aa1a455fe35b2d4
                                                                                                                • Instruction ID: 0ee4523352d077323c2b1e07eeb6ca0a69c88ca148eb024dc02863135328269b
                                                                                                                • Opcode Fuzzy Hash: beac3bef799fdd4e78cadca0420f938e25e58cd71b641a883aa1a455fe35b2d4
                                                                                                                • Instruction Fuzzy Hash: F921E4B59002199FDB10CF9AD884ADEFBF8FB48324F14842AE914A7310D374A954CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,027FBD21,00000800,00000000,00000000), ref: 027FBF32
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: 7f2992d500b4464e690e9d28425415ec535104bf7106e3ce42a091e18930854d
                                                                                                                • Instruction ID: 31df9406783a16a504461e423b43977b91f34ea2db2a1613ffe5347c21aafbe8
                                                                                                                • Opcode Fuzzy Hash: 7f2992d500b4464e690e9d28425415ec535104bf7106e3ce42a091e18930854d
                                                                                                                • Instruction Fuzzy Hash: 731103B69043098FCB10CF9AC444A9EFBF4EB89328F15842AE515A7700C374A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02653C1E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: AllocVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 4275171209-0
                                                                                                                • Opcode ID: d6d4faee9efe5ba3133e56e707168579587d58cc6866cec11a428f5e3109b58b
                                                                                                                • Instruction ID: 9742db3aa029e010f5036fa1f061a20cd52a3f1c856f838c34a2ae637e0e9a5d
                                                                                                                • Opcode Fuzzy Hash: d6d4faee9efe5ba3133e56e707168579587d58cc6866cec11a428f5e3109b58b
                                                                                                                • Instruction Fuzzy Hash: 1D1167719003488FCB10DFAAC844BDFFBF5AF48324F148819E515A7250C7399950CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • OutputDebugStringW.KERNELBASE(00000000), ref: 02651A08
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DebugOutputString
                                                                                                                • String ID:
                                                                                                                • API String ID: 1166629820-0
                                                                                                                • Opcode ID: c6847da14d8b231f6444b447f01f01d30e0c02238e4afb05bc425daa72765dbf
                                                                                                                • Instruction ID: 9a35b494900ce12c6bc941cb125dda3e01931a0eda51ecaf0c358b70386c3f0f
                                                                                                                • Opcode Fuzzy Hash: c6847da14d8b231f6444b447f01f01d30e0c02238e4afb05bc425daa72765dbf
                                                                                                                • Instruction Fuzzy Hash: A41114B5D0061A9FCB10CF99D585BDEFBB4FB48324F14815AD818A7640C738A945CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 027FE1C5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: 9d2eca4e54032a1f4d21748a65bcd306f387bb3c3144bb8b3b727800679543b8
                                                                                                                • Instruction ID: 849e9559391c73b500208ff6fb84df2cd841f9c9db6584e6b18f56401a114387
                                                                                                                • Opcode Fuzzy Hash: 9d2eca4e54032a1f4d21748a65bcd306f387bb3c3144bb8b3b727800679543b8
                                                                                                                • Instruction Fuzzy Hash: A81149B5804359CFDB10CF9AC884BDEBBF4EB48324F10891AD555A7750C374A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: ResumeThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 947044025-0
                                                                                                                • Opcode ID: 4693cd735c6301f3493d2bad260de7e9332d21fc62ac50b69807fe7eb4e511da
                                                                                                                • Instruction ID: 6ed9e748afec9453aac7ae72abcc34647986d2811035e88b65bfc2faeab6e553
                                                                                                                • Opcode Fuzzy Hash: 4693cd735c6301f3493d2bad260de7e9332d21fc62ac50b69807fe7eb4e511da
                                                                                                                • Instruction Fuzzy Hash: 101158B5D007188FCB10DFA9C5847EEFBF5AB48224F14882AD515A7740C7399944CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • OutputDebugStringW.KERNELBASE(00000000), ref: 02651A08
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DebugOutputString
                                                                                                                • String ID:
                                                                                                                • API String ID: 1166629820-0
                                                                                                                • Opcode ID: c4423c5f76bedad446a1640df54ecd4085dac015044d07a65ca8b6b489f3b16a
                                                                                                                • Instruction ID: 558d410f1a0b1529a641aa96740b690b5a0fa493bb56acb16b395c379e87f196
                                                                                                                • Opcode Fuzzy Hash: c4423c5f76bedad446a1640df54ecd4085dac015044d07a65ca8b6b489f3b16a
                                                                                                                • Instruction Fuzzy Hash: DC1132B1D0065A9FCB10CF9AD544B9EFBB4FB48324F10816AE818B7740C738AA40CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: ResumeThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 947044025-0
                                                                                                                • Opcode ID: 80a55b14bef07bfed16ff675be52db35e69bd546b29f6136a5d421ae42386700
                                                                                                                • Instruction ID: 6bd46146811b9dab39fde7ffcdc497ccc98707dc9c187925caf09e9a3a584b71
                                                                                                                • Opcode Fuzzy Hash: 80a55b14bef07bfed16ff675be52db35e69bd546b29f6136a5d421ae42386700
                                                                                                                • Instruction Fuzzy Hash: CC1136B1D007588BCB10DFAAC4447EFFBF5AB88228F148829D519A7740CB79A944CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 026594CD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost
                                                                                                                • String ID:
                                                                                                                • API String ID: 410705778-0
                                                                                                                • Opcode ID: da7054edc37bc1251ca3d714d326375f5041e4fe9807b680fb9166d6b0aabb33
                                                                                                                • Instruction ID: 3a1c312c32954b152e22cc813ecb5dbae94230a05721b528788524ed02331c42
                                                                                                                • Opcode Fuzzy Hash: da7054edc37bc1251ca3d714d326375f5041e4fe9807b680fb9166d6b0aabb33
                                                                                                                • Instruction Fuzzy Hash: 861103B58003599FDB10DF99C588BDFBBF8FB48324F148459E954A7600C374A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 026594CD
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: MessagePost
                                                                                                                • String ID:
                                                                                                                • API String ID: 410705778-0
                                                                                                                • Opcode ID: d19698c0a5e7bafddafcbbcb52a56bb01a465fa81ece15cb47976950c965eb29
                                                                                                                • Instruction ID: 350534ef6db99f51149f834244b60fc26cb5f98d426040a183b9116a4414493c
                                                                                                                • Opcode Fuzzy Hash: d19698c0a5e7bafddafcbbcb52a56bb01a465fa81ece15cb47976950c965eb29
                                                                                                                • Instruction Fuzzy Hash: C911F2B5800359DFDB20DF9AC488BDEBBF8EB48324F148459E955A7600C378A944CFE1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 027FE1C5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: 86bfa1b76ce51e3d045b6e4b7fc86a042d69ee5c365657f53937eda4480d9c85
                                                                                                                • Instruction ID: 35c6ea20cec18b95c5af3881699bd64c79bdd276632c7d6f5e97e7d594cf7ef1
                                                                                                                • Opcode Fuzzy Hash: 86bfa1b76ce51e3d045b6e4b7fc86a042d69ee5c365657f53937eda4480d9c85
                                                                                                                • Instruction Fuzzy Hash: 2B11E3B59047499FDB20CF9AC488BDFBBF8EB48224F108459E915A7710C374A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 027FBCA6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 4fbd545b837aa9c5244a5dab16b406167c03bbce6faa673e76ea4d8842eacc74
                                                                                                                • Instruction ID: 82eb1d3b7a14851cc765864f227ddefe1e8edfac4b997c0e33a5523efcc2e4c3
                                                                                                                • Opcode Fuzzy Hash: 4fbd545b837aa9c5244a5dab16b406167c03bbce6faa673e76ea4d8842eacc74
                                                                                                                • Instruction Fuzzy Hash: 8C11DFB6D007498FCB10CF9AC444BDFFBF4AB88228F14846AD919A7610D778A546CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 027FE1C5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: a2078b9797728989a2062888e0cf633d1caff1e696a20b207b67e9ed84484ccc
                                                                                                                • Instruction ID: ac1c4034064066ea8e8c4dd5aec03750f41397db8d86d627c1bc30f08a32fd82
                                                                                                                • Opcode Fuzzy Hash: a2078b9797728989a2062888e0cf633d1caff1e696a20b207b67e9ed84484ccc
                                                                                                                • Instruction Fuzzy Hash: 431103B5900349CFDB20CF99D584BDEBBF4EB48324F14885AD959A7750C374A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677672485.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8f2c6351c5824eefbf7cfb7dfa1b945edcafccc57f9b3a68dc7180d59d68ce81
                                                                                                                • Instruction ID: bf27018db7ca2de336e3fa6bdfed6f29ef3485ab3580b9ca0f3e49f3e78dfae7
                                                                                                                • Opcode Fuzzy Hash: 8f2c6351c5824eefbf7cfb7dfa1b945edcafccc57f9b3a68dc7180d59d68ce81
                                                                                                                • Instruction Fuzzy Hash: 44214CB5904204DFCB04CF10D9C4F16BFA6FB8A328F388569E9064B646C336D855DBB2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677703755.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c18b33b2a6cfea0175f8a884e000ab0ee2bbab604a830883bb44dde566cc5fea
                                                                                                                • Instruction ID: 7f7c02ee0d93b09dffd63c3db5bc066b8aa9db91df074501ae6cae2d1808f519
                                                                                                                • Opcode Fuzzy Hash: c18b33b2a6cfea0175f8a884e000ab0ee2bbab604a830883bb44dde566cc5fea
                                                                                                                • Instruction Fuzzy Hash: B22137B5504204DFCB14EF20D4C0B56BB62FB88314F24C5A9E84A4B246D336D807CA71
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677703755.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c8f3b4af43b944a3547c257bba73a388016e1ccef4c2224dd4e3d553a2b9f8e7
                                                                                                                • Instruction ID: 85021bdd90b74f2be6213b7e6c9efa8ef5d10fab9e974910a27040683cad5af7
                                                                                                                • Opcode Fuzzy Hash: c8f3b4af43b944a3547c257bba73a388016e1ccef4c2224dd4e3d553a2b9f8e7
                                                                                                                • Instruction Fuzzy Hash: 042107B5504284EFDB05CF10D5C0B66BBA6FB84318F24C5BDE94A4B246D376D846CB71
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677703755.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1cbb8f667a03c4f4bf1f8648514a2c8b2d3806799ffec81d28f91abce1a390ef
                                                                                                                • Instruction ID: db0704992c525422dbdbc0f698da3f45bd1b7c1919210081fb4fab7a1a81167a
                                                                                                                • Opcode Fuzzy Hash: 1cbb8f667a03c4f4bf1f8648514a2c8b2d3806799ffec81d28f91abce1a390ef
                                                                                                                • Instruction Fuzzy Hash: B32180755093C0CFCB12CF20D994755BF71EB46314F28C5EAD8498B697C33A980ACB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677672485.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
                                                                                                                • Instruction ID: 2d83d315774d08cdded48d3b68c9ead8c936c3bd0acd8b9bed0be4d58c3eeaf6
                                                                                                                • Opcode Fuzzy Hash: c28d7f9b6c052c6bf27c54b29b78abe899c0e928c1954ef857855ef63c427eb8
                                                                                                                • Instruction Fuzzy Hash: FD11E676804280CFCF11CF10D5C4B16BF72FB99324F28C6A9D8060B656C33AD856CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677703755.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
                                                                                                                • Instruction ID: 44219b2ffc6c632de2d3c518d7abcbf8df956d9d459b9357deda76facfae1938
                                                                                                                • Opcode Fuzzy Hash: ac1c577071c2d0f69f9c0c2e3af2bcc6dc79f4eb61d5675d3e9761bf736dafb1
                                                                                                                • Instruction Fuzzy Hash: 89118B75904280DFCB11CF10D5C4B55BBB2FB84324F28C6A9D84A4B656D33AD84ACB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677672485.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a161fa066c5e6cbd6247149f3e2db588de12012ef2b2e80b4fedabcea79d7dd4
                                                                                                                • Instruction ID: fc37be371167de91850901bb043701202f90f432c3129fb13b89ba33afac21e3
                                                                                                                • Opcode Fuzzy Hash: a161fa066c5e6cbd6247149f3e2db588de12012ef2b2e80b4fedabcea79d7dd4
                                                                                                                • Instruction Fuzzy Hash: 8801F771008344AAD7148E25C884766BB98EF42764F28C45AED474AA46C3789C44D6B1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677672485.0000000000DAD000.00000040.00000001.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d51741638476159ffd60f6ce8583b7c8593b09832523b21587893cc625e0d0f1
                                                                                                                • Instruction ID: b88844701e84b92952ea4b01e6657b4b292005606ab6a0cdcc880da6452d6511
                                                                                                                • Opcode Fuzzy Hash: d51741638476159ffd60f6ce8583b7c8593b09832523b21587893cc625e0d0f1
                                                                                                                • Instruction Fuzzy Hash: 8CF0F671404344AEEB148E06CCC4B62FFA8EF82774F1CC45AED494B686C3789C44CAB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: jeX
                                                                                                                • API String ID: 0-1926182436
                                                                                                                • Opcode ID: 66476b59bb8d98d2aa7a6c420253e195758ec98d693acdc6169f8fc05400f3a5
                                                                                                                • Instruction ID: ee8cd0200ad18ec04cb972c7da19327a3799041cbaec948aeff413c28a2e8fa1
                                                                                                                • Opcode Fuzzy Hash: 66476b59bb8d98d2aa7a6c420253e195758ec98d693acdc6169f8fc05400f3a5
                                                                                                                • Instruction Fuzzy Hash: 0691E474E15219CBCB08CFE9D58199EFBF2AF89300F60942AE805BB314D7319902CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: jeX
                                                                                                                • API String ID: 0-1926182436
                                                                                                                • Opcode ID: b177eeb9da5c4b3e17b3f32925d43d3b38a9916cdd651db40b3bc8130424c686
                                                                                                                • Instruction ID: 52d363413237bf34e360b7973692e71a2ff6ae1b9b6bdeb37b86ef572c0ca15e
                                                                                                                • Opcode Fuzzy Hash: b177eeb9da5c4b3e17b3f32925d43d3b38a9916cdd651db40b3bc8130424c686
                                                                                                                • Instruction Fuzzy Hash: 8A91F475E152198FCB09CFE9D58199EFBF2AF89300F60946AD805BB314D7309902CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: W9nq
                                                                                                                • API String ID: 0-2153263515
                                                                                                                • Opcode ID: cd552b53b65af3026291bcf3de7b6cc40238d8d98fe1b33a73563dce1598b905
                                                                                                                • Instruction ID: f513f908b08515aaf54cc90b7320fedc60f358985abac89771cf59327ef290e2
                                                                                                                • Opcode Fuzzy Hash: cd552b53b65af3026291bcf3de7b6cc40238d8d98fe1b33a73563dce1598b905
                                                                                                                • Instruction Fuzzy Hash: B6615B70E0521A9FCB18CFA9D4916EFFBF2AF89310F14D026DA15A7254D7349A42CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: W9nq
                                                                                                                • API String ID: 0-2153263515
                                                                                                                • Opcode ID: 14fd589d944c3f0c24d435ceaa3f2127cee3b036ea1e5aba9570c767d737e5f1
                                                                                                                • Instruction ID: aba6fd3476c784d16bed10a6e34139d14fb09017f3efb752a2ad0a8c83860fcc
                                                                                                                • Opcode Fuzzy Hash: 14fd589d944c3f0c24d435ceaa3f2127cee3b036ea1e5aba9570c767d737e5f1
                                                                                                                • Instruction Fuzzy Hash: BD616B70E0521A9FDB18CFA9D4416EFFBB2EF88310F14D026DA15A7254D7349A42CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.676352861.0000000000402000.00000002.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.676335717.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000000.00000002.676685161.00000000004AC000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ba1dc42940ce141afe1d335a42a039e2e9e4b68561e4cebd4151dc78f180b2bd
                                                                                                                • Instruction ID: 468754b5f24e92e1859d9e1a9c9804641b2d6b3401cbfbb2cd00e11729edbfd9
                                                                                                                • Opcode Fuzzy Hash: ba1dc42940ce141afe1d335a42a039e2e9e4b68561e4cebd4151dc78f180b2bd
                                                                                                                • Instruction Fuzzy Hash: B002AB6140FBC14FCB134B746EB56D17FB2AE57214B0E48DBC8C18F1A3E1185A9AE762
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fbf2351417e0f18f0d564d903027bc0612618302b5c231cad2b018ef60b43fdf
                                                                                                                • Instruction ID: efc86a83cb57a5c326ad73de8274c2d046f847cb5b30f0551ab092ec7fa91649
                                                                                                                • Opcode Fuzzy Hash: fbf2351417e0f18f0d564d903027bc0612618302b5c231cad2b018ef60b43fdf
                                                                                                                • Instruction Fuzzy Hash: 19A16F36E042198FCF06DFB5C84459EB7B2FF89304B15856AEA05BB320EB75A915CF80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.678024342.00000000027F0000.00000040.00000001.sdmp, Offset: 027F0000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a6d505c08aca2e4f3190d754168d006686a8655570ad4e414f14ec69e1ea1be7
                                                                                                                • Instruction ID: 41a1fe0ca98d7be8837f54b30e94fb87acdabebf0478784d743ebce6e3f8ed9b
                                                                                                                • Opcode Fuzzy Hash: a6d505c08aca2e4f3190d754168d006686a8655570ad4e414f14ec69e1ea1be7
                                                                                                                • Instruction Fuzzy Hash: 12C12CF9C917668BD711CF65E8981893BB1BB84328FD14B08E1612BAD0D7BC117ACF84
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 03b158092d40c2f746261da82cf615f09107037505f455c5b88fb49250b6c89c
                                                                                                                • Instruction ID: be523cfb4170207f78ca6b6359501c87f8377575cc07844872eca05c4beb3620
                                                                                                                • Opcode Fuzzy Hash: 03b158092d40c2f746261da82cf615f09107037505f455c5b88fb49250b6c89c
                                                                                                                • Instruction Fuzzy Hash: 1B61F8B4E046298BDB14DF69C980A9DFBB2BF89304F24D1A9D908A7355DB309A41CF61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e3c8948bafc4b1ee7566e61d16dd32174c29df3a2454c51be6786b114b086ca0
                                                                                                                • Instruction ID: b7e1975145b9046d936013c3e898d4d99faf51c15725af8aff7c43ac51ced106
                                                                                                                • Opcode Fuzzy Hash: e3c8948bafc4b1ee7566e61d16dd32174c29df3a2454c51be6786b114b086ca0
                                                                                                                • Instruction Fuzzy Hash: 61510BB4E045298BDB14DF69C980A9DFBF2BF89304F24D1A9D908A7355D7309D41CF61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a7d0b5e6932834e2083b52bfd23f28db9a06a88331206163e4cbfa6761c061d8
                                                                                                                • Instruction ID: 476defc1c74420815a9960d6513457911f6626fbbd1340edf23696fb77a92991
                                                                                                                • Opcode Fuzzy Hash: a7d0b5e6932834e2083b52bfd23f28db9a06a88331206163e4cbfa6761c061d8
                                                                                                                • Instruction Fuzzy Hash: AB411B70E15629CBDB18CF6AD880B9EFBB6BF89314F14C1A9E909A7354DB3099418F50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0715ec48cde42d114ad033dc705f81bd2d017906a8b6898b828c2396770c914f
                                                                                                                • Instruction ID: fba9bd3d06aa689bd6274cbeab0733aa1701fd0179a9c48a53a74aef2cd05ffa
                                                                                                                • Opcode Fuzzy Hash: 0715ec48cde42d114ad033dc705f81bd2d017906a8b6898b828c2396770c914f
                                                                                                                • Instruction Fuzzy Hash: BA415670E1521ADFCB08CFA9D5816AEBBF2FF88300F50946AD405E7254E7349A41CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fbc57a3403fb31386abd0b28657c56ddbf6eed4ebad7dc45437636c9c039f946
                                                                                                                • Instruction ID: 1254ca5567d941459adc316f07144ece2f2845a6e287b6b05a112d7b839e17a7
                                                                                                                • Opcode Fuzzy Hash: fbc57a3403fb31386abd0b28657c56ddbf6eed4ebad7dc45437636c9c039f946
                                                                                                                • Instruction Fuzzy Hash: AE412B70E15629CFDB18CF6AD981B9EF7F2BF89300F14C0AAE908A7255DB3099418F51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6dee7af4d62b04870fa4f381fdb08952f30e957513e862fd8d93d82aa0a40bd7
                                                                                                                • Instruction ID: ca04a34d1d8db7c3826c7e4a7d8895fe8d5be54e7b530e2e67e4b703830abc50
                                                                                                                • Opcode Fuzzy Hash: 6dee7af4d62b04870fa4f381fdb08952f30e957513e862fd8d93d82aa0a40bd7
                                                                                                                • Instruction Fuzzy Hash: 4821F470D09228DBDB18CFA5D848BEDBAF5EB4A308F54506AF806B3298C7784945CB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.677931968.0000000002650000.00000040.00000001.sdmp, Offset: 02650000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8b453e91e055ec5cdb83fa0ba9671bdcad8d404da831258803578cd835214f82
                                                                                                                • Instruction ID: 7cd6f82b8a186b4b6d1aa362eae55e1dab8682fe57dbc114aebea2fcd35a5abf
                                                                                                                • Opcode Fuzzy Hash: 8b453e91e055ec5cdb83fa0ba9671bdcad8d404da831258803578cd835214f82
                                                                                                                • Instruction Fuzzy Hash: FA214670C09269CBDB148FA4D488BEDBBB0FB0A309F04546AF802B7295C7788945CB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: D0(l$D0(l$D0(l
                                                                                                                • API String ID: 0-339771162
                                                                                                                • Opcode ID: ca367259ce647b6564f26b7da1f8835fc6ab030dd2bf7d0fa527ddf63b0b8923
                                                                                                                • Instruction ID: c6ce03811efc2aecebb18197298d529965d3fe198fcc5f7dfbf7d96eb45b9ad9
                                                                                                                • Opcode Fuzzy Hash: ca367259ce647b6564f26b7da1f8835fc6ab030dd2bf7d0fa527ddf63b0b8923
                                                                                                                • Instruction Fuzzy Hash: 4A128F70A006199FDB18DF68C854BAEBBB6FF88304F15846AE906DB391DF749C45CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907208651.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 371655b71ccdb3a0ee86559abea669ec2e44f38df523f789f3818bcdb16f0438
                                                                                                                • Instruction ID: a04dad9f1432030d8a703c7ac820e12b123449053304266dff243c544745a7eb
                                                                                                                • Opcode Fuzzy Hash: 371655b71ccdb3a0ee86559abea669ec2e44f38df523f789f3818bcdb16f0438
                                                                                                                • Instruction Fuzzy Hash: 18620971E006298FDB25EF78C9546DEB7F1BF89304F1085AAD549AB350EF30AA85CB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9b21f8f08a016716f873594d22f201d31e93faf4b119053296e9ed648a7d92c0
                                                                                                                • Instruction ID: 33e4496b9e72218ce703e6bc219d82f5cdd575136567ee3b7045049d20668ace
                                                                                                                • Opcode Fuzzy Hash: 9b21f8f08a016716f873594d22f201d31e93faf4b119053296e9ed648a7d92c0
                                                                                                                • Instruction Fuzzy Hash: 0F033D74A012148FDB24EFB8D8587AEBBF2EF85314F1484AAD409EB391DB359C85CB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: f08c0e0ab22bcc82b72491b07154f84fdb55c90706fd55ba11e823c9ccd50727
                                                                                                                • Instruction ID: d95be366300bbec465590ab97ff1786d11c4387840cb91dccc0f4810ccc74298
                                                                                                                • Opcode Fuzzy Hash: f08c0e0ab22bcc82b72491b07154f84fdb55c90706fd55ba11e823c9ccd50727
                                                                                                                • Instruction Fuzzy Hash: 9B519071A002059BCB05EFF4D848AAEB7B6FF84204F148969E5169B385EF70E844CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ea8c5358d59d40889d21de466d6eab3a168dda6bab475f2cdca7e9bf97c86f77
                                                                                                                • Instruction ID: 1786305cc79c4c00d093c66cfc14e5cc9e1f7cd526b2e84f7317b2fe2ada7299
                                                                                                                • Opcode Fuzzy Hash: ea8c5358d59d40889d21de466d6eab3a168dda6bab475f2cdca7e9bf97c86f77
                                                                                                                • Instruction Fuzzy Hash: 6F824A70A00609DFCB15EF69C584AAEBBF2FF88714F15856AE9059B3A1DB30ED41CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 032446ca60912b552c967bb5f512d01bbd53ee840724597ef5c9506453400926
                                                                                                                • Instruction ID: dbd7ebae722b5a26a8ba820f40b6c2fc649e89d9211e1b5bdc7d4713bc28c9c8
                                                                                                                • Opcode Fuzzy Hash: 032446ca60912b552c967bb5f512d01bbd53ee840724597ef5c9506453400926
                                                                                                                • Instruction Fuzzy Hash: 28025C30A00119DFDB15EFA9C984EAEBBB2FF88314F15806AE915AB361D774ED41CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Xc(l$Xc(l
                                                                                                                • API String ID: 0-2612244587
                                                                                                                • Opcode ID: cdcfc29bb6bcaea9120ecbd94c23a595cedba6c9dc7c3800bdf27b0fb9b42010
                                                                                                                • Instruction ID: 0ce65bbc3276fdd910bb839ed3da5dd0a61e5658fe5e2aca65f9e7b57703f1ed
                                                                                                                • Opcode Fuzzy Hash: cdcfc29bb6bcaea9120ecbd94c23a595cedba6c9dc7c3800bdf27b0fb9b42010
                                                                                                                • Instruction Fuzzy Hash: 0281BD74B005058FDB18EF6CC484AAEBBB2BF88A44B15816BD916DB371D730E843CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 252b7755d2b56175ca322cd883e7bf3b625f17443e7f0f1cfe93a460b2d4baa1
                                                                                                                • Instruction ID: 4f01242140b74e227f0658829ed7602537b2a354a5d61261f0af2523f58c631f
                                                                                                                • Opcode Fuzzy Hash: 252b7755d2b56175ca322cd883e7bf3b625f17443e7f0f1cfe93a460b2d4baa1
                                                                                                                • Instruction Fuzzy Hash: 56C29A32989B0F8FD7549E8DF985599B7E1FB8123471683AFC0048B675CABE48C7C681
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907208651.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 733b8cbca5e19422b44ba6950def0da6d1e83862a093f115a2e46416d69ebf8e
                                                                                                                • Instruction ID: cdbfc9134e798c1d0929180dc722e80e0ed570af0a57d05cfbfd2c657b5201e0
                                                                                                                • Opcode Fuzzy Hash: 733b8cbca5e19422b44ba6950def0da6d1e83862a093f115a2e46416d69ebf8e
                                                                                                                • Instruction Fuzzy Hash: 0A718D31A003199FDB14DBB4D858BAEBBF2BF85304F108828E416AB795DF79AC45CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907208651.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0e367cf99c8b075133f5523a725c5ace68cc3d0019e5e77e6e49121f9e0225a2
                                                                                                                • Instruction ID: 7cdc482b0e61a8dde40c3db6ab454c7cea36b9164a7619c0c14ff839e71a6640
                                                                                                                • Opcode Fuzzy Hash: 0e367cf99c8b075133f5523a725c5ace68cc3d0019e5e77e6e49121f9e0225a2
                                                                                                                • Instruction Fuzzy Hash: CB513872E043958FCB11CF79D8446DABBF5EF86310F0A84AAD5449B281EB349C45CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 83bf659d8415cd1e63b3ce51dee3b237464cd5c1c7aaabe8e997cc389da47581
                                                                                                                • Instruction ID: c57081161d2a61a25f270aea76bf5b54e0f4ec0cb674042382e6a7a0c54d3ed7
                                                                                                                • Opcode Fuzzy Hash: 83bf659d8415cd1e63b3ce51dee3b237464cd5c1c7aaabe8e997cc389da47581
                                                                                                                • Instruction Fuzzy Hash: 24419171A002059FCB05EFF4D848AAEB7B6BF84204F148969E5129B395EF70E8448BA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0150C759
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3660427363-0
                                                                                                                • Opcode ID: dc5ef2f5340a75158abeefeeb5210dbd41f7bc02f69887b07342caf1a042231e
                                                                                                                • Instruction ID: 1444901ebe05a4f3e792ed05c87b1ea156f40b3cd32bfa60490d763ebcced364
                                                                                                                • Opcode Fuzzy Hash: dc5ef2f5340a75158abeefeeb5210dbd41f7bc02f69887b07342caf1a042231e
                                                                                                                • Instruction Fuzzy Hash: 644154B4C052589FCB11CFA9C894ACEBFF1BF09304F1585AAE859AB351D7349805CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0150C759
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3660427363-0
                                                                                                                • Opcode ID: a75bcadac0343e05d9eb5bde831bb8578526bf18ec2951b79bfb76ddb4adc473
                                                                                                                • Instruction ID: d6abe51ea46790b6645d460c9444dd81b896c527829aafde7a5e4e0ec5723993
                                                                                                                • Opcode Fuzzy Hash: a75bcadac0343e05d9eb5bde831bb8578526bf18ec2951b79bfb76ddb4adc473
                                                                                                                • Instruction Fuzzy Hash: 694134B4E00258DFDB11CFA9C984A9EBFF5BF49304F15816AE918AB341D774A805CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0150C49C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Open
                                                                                                                • String ID:
                                                                                                                • API String ID: 71445658-0
                                                                                                                • Opcode ID: 255e8322044e5c98f3d576ee1b1d9c726ababa21bf8cabf3fa9feaf0cbb25be5
                                                                                                                • Instruction ID: e08f7072c14dab39b6228ffd9a6db23a441387f76bc5c3863ea9ddc7794d55d0
                                                                                                                • Opcode Fuzzy Hash: 255e8322044e5c98f3d576ee1b1d9c726ababa21bf8cabf3fa9feaf0cbb25be5
                                                                                                                • Instruction Fuzzy Hash: FF4156B1D042498FDB10CFA9C444A9EFFF5BF49304F29C5AAE508AB381D7759845CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0150C759
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: QueryValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3660427363-0
                                                                                                                • Opcode ID: 68a33a7b78559cf693e99cc4f0c00ed1fc84694da49380b04996b5755a3f8ee9
                                                                                                                • Instruction ID: 14fc88dcd07bb53fb362cbb044717650764bf8467720a4267160208a9f0e5a3c
                                                                                                                • Opcode Fuzzy Hash: 68a33a7b78559cf693e99cc4f0c00ed1fc84694da49380b04996b5755a3f8ee9
                                                                                                                • Instruction Fuzzy Hash: DA31E0B5D002589FCB20CF9AC984A9EBFF5BF49310F54816AE819AB340D774A945CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0150C49C
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907163894.0000000001500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Open
                                                                                                                • String ID:
                                                                                                                • API String ID: 71445658-0
                                                                                                                • Opcode ID: eb1a0d465e20178d583499937c0e453d232650542aee06ee1bdce577ead2ca51
                                                                                                                • Instruction ID: 4493094dfd246930a992fc46c0b7f2c97527cde66e075034d13097643644769b
                                                                                                                • Opcode Fuzzy Hash: eb1a0d465e20178d583499937c0e453d232650542aee06ee1bdce577ead2ca51
                                                                                                                • Instruction Fuzzy Hash: 043102B1D04248CFDB10CF99C584A9EFFF5BF49304F2986AAE909AB381C7759945CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                APIs
                                                                                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0152E747
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907208651.0000000001520000.00000040.00000001.sdmp, Offset: 01520000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: GlobalMemoryStatus
                                                                                                                • String ID:
                                                                                                                • API String ID: 1890195054-0
                                                                                                                • Opcode ID: 369fdc1b684e93415645d9c1ea42dc18d268d957525d24551e0a136805666454
                                                                                                                • Instruction ID: 5248f3c8d2bf1b697e2c50aa30d695654658758204c8e9a286f4c413771ce6f3
                                                                                                                • Opcode Fuzzy Hash: 369fdc1b684e93415645d9c1ea42dc18d268d957525d24551e0a136805666454
                                                                                                                • Instruction Fuzzy Hash: 841144B2C006699BCB10CF9AD445BDEFBF4FB49220F05856AE914B7240D378A940CFE5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: P@Xk
                                                                                                                • API String ID: 0-852570866
                                                                                                                • Opcode ID: 6dd6fb896c3e1f4a708b3884019cef66ed581ab7e9585fea014f589116389e76
                                                                                                                • Instruction ID: 2eb33ea1e0f5dd7d5399474ae9e433e338a75e48436919d4438e0161ab62735b
                                                                                                                • Opcode Fuzzy Hash: 6dd6fb896c3e1f4a708b3884019cef66ed581ab7e9585fea014f589116389e76
                                                                                                                • Instruction Fuzzy Hash: C731BE31F042098FEB15AB78D0586EF7BE6EF88214B14446AD006EB355EF389C45CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: P@Xk
                                                                                                                • API String ID: 0-852570866
                                                                                                                • Opcode ID: 8e050980a1a3cb8c0ffaa93b27fcf3fc6466e3b4a37af2683c6be8724ffdf079
                                                                                                                • Instruction ID: 91a5f97d45922cf3d23e9d363da596e89f0b894b36e4b3d9c2afca923a95e9c0
                                                                                                                • Opcode Fuzzy Hash: 8e050980a1a3cb8c0ffaa93b27fcf3fc6466e3b4a37af2683c6be8724ffdf079
                                                                                                                • Instruction Fuzzy Hash: 4431AF31B042098FEB15AB78D0586EFBBE7EF88255B14446AD406EB394EF389C45CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cfbc5021c62ebebcbebc6a343b32329099ca3d046366d06de97ead225081610e
                                                                                                                • Instruction ID: 98e6ad3901d493be1c7f59828fa544000de288fd3172226385c9a08acc2b73eb
                                                                                                                • Opcode Fuzzy Hash: cfbc5021c62ebebcbebc6a343b32329099ca3d046366d06de97ead225081610e
                                                                                                                • Instruction Fuzzy Hash: 44422E74A4455C8FEB24DFA0C850BAEBBB2EF89304F1184B9C20A6B394DB355D45EF52
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3641194ee8fc8a76d2069954d97ef68198624f7c6a9bfae53ba05a0a1314a088
                                                                                                                • Instruction ID: 554af6e8a675a325998f961b5b5d7ede63526a1fa5f1516033bae68e05572a45
                                                                                                                • Opcode Fuzzy Hash: 3641194ee8fc8a76d2069954d97ef68198624f7c6a9bfae53ba05a0a1314a088
                                                                                                                • Instruction Fuzzy Hash: DF327174A002048FCB14EFB8D4586AEBBF2FF89314F248966E505EB765DB389D46CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2ff03f8cfa460879a815e5a562de3dc432f801e87666d59ca0d7014af27777d9
                                                                                                                • Instruction ID: 3e19ee84b2701befdf4018bee6fa9fa924662756aea3b7fc11ad3c3d47c68e1f
                                                                                                                • Opcode Fuzzy Hash: 2ff03f8cfa460879a815e5a562de3dc432f801e87666d59ca0d7014af27777d9
                                                                                                                • Instruction Fuzzy Hash: FD229E30B002158FDB15EB74D4586AEBBF2AF85204F14857AE50AEB3A5EF34DC46CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 95113ce9e9a8bb5092d70f63654dad721b4ed4a8314131653e4daa15a3c2b62d
                                                                                                                • Instruction ID: 6527f76c3b4c33cc8389930a1cf36833550afb38143d1422c6fcb95d53c198e5
                                                                                                                • Opcode Fuzzy Hash: 95113ce9e9a8bb5092d70f63654dad721b4ed4a8314131653e4daa15a3c2b62d
                                                                                                                • Instruction Fuzzy Hash: 47421D74A4451C8FEB24DFA4C850BAEBBB2EF89304F1184B9C20A6B394DB355D46EF51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 141235bce8e4e8b6989bef10ce3c351190a5e5e663ec82d2e4bff3a78d0e4215
                                                                                                                • Instruction ID: 7d0dda60d50997221fb1dd6b7d2ae352ffe6c09aa115a38d08714ca04477901c
                                                                                                                • Opcode Fuzzy Hash: 141235bce8e4e8b6989bef10ce3c351190a5e5e663ec82d2e4bff3a78d0e4215
                                                                                                                • Instruction Fuzzy Hash: 6B029230F052458FDB21EBA8D4847AEBBF1EB86310F148966E505EB3A2DB34DC468B51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fcb2d515be2a1a6379924dda0b9a6fd578ba8f09e81d9b5ef7f4dd42bc1d8041
                                                                                                                • Instruction ID: 605e6a313b5b43ad03960621586fc413ac84e4be72748987c83ae753e9e35d15
                                                                                                                • Opcode Fuzzy Hash: fcb2d515be2a1a6379924dda0b9a6fd578ba8f09e81d9b5ef7f4dd42bc1d8041
                                                                                                                • Instruction Fuzzy Hash: 67F15C30A493854FD7079B78985469A3FF29F87304F1A84F7D548DB2A3E6789C0A8762
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0ae33bc7489ba5df884f1134048635c3f882b4f79419d536c623521742eb89eb
                                                                                                                • Instruction ID: 777ca0153eeedf7209ca0dc05fddd264b13b077b636eebaf2fdb0bff97e355ec
                                                                                                                • Opcode Fuzzy Hash: 0ae33bc7489ba5df884f1134048635c3f882b4f79419d536c623521742eb89eb
                                                                                                                • Instruction Fuzzy Hash: 2EE1DE30B052448FDB15AB78D818B6E7BB2EF81324F258566E916DB3E5DF349C0ACB41
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 44ff49799a1e654d2a6d7cb8baca85b8a257cd0f7bedfd05670682a566a92b59
                                                                                                                • Instruction ID: 4c62316e82a7d43bac5b6d908c3c344e93937ebdd8b9fa51821fd83b820abc59
                                                                                                                • Opcode Fuzzy Hash: 44ff49799a1e654d2a6d7cb8baca85b8a257cd0f7bedfd05670682a566a92b59
                                                                                                                • Instruction Fuzzy Hash: 51C1D2347042158FDB19AB28C894BBE7BA2EF89644F05846BE506CB3A1DF34CC06CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: df596975433211ad396b0b1f79816d1104c7e29fc9a6f4e6f9404534f9a39ab6
                                                                                                                • Instruction ID: 29a95c356413585915fa64c4ed78a0e2f9173f650193ac585efb4d1c01102021
                                                                                                                • Opcode Fuzzy Hash: df596975433211ad396b0b1f79816d1104c7e29fc9a6f4e6f9404534f9a39ab6
                                                                                                                • Instruction Fuzzy Hash: F6D12A71A00515CFCB05DF6DD598AADBBF6BF88314B1A80AAE505AB372CB30EC41CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2bf08889fd0cb04446d20de46392d2c273c528c12025527a816af6d5bd196cb3
                                                                                                                • Instruction ID: 74af53554966db47e2cf90b97ce4f82cf2552f262e4a5a8dd04d9801395bd470
                                                                                                                • Opcode Fuzzy Hash: 2bf08889fd0cb04446d20de46392d2c273c528c12025527a816af6d5bd196cb3
                                                                                                                • Instruction Fuzzy Hash: 53D11B71A00615CFCB05DF68D588AADBBF6BF88314B1A849AE515AB372DB30EC41CB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 09192e516ffe29f6fd7310efa95fb46065dd6f3e0b4fb2fc9c87550fc388f3e9
                                                                                                                • Instruction ID: 44b969bbfc06a0e963cb556d558931f081b3e86c3c3f6de0ef56910f23b10e40
                                                                                                                • Opcode Fuzzy Hash: 09192e516ffe29f6fd7310efa95fb46065dd6f3e0b4fb2fc9c87550fc388f3e9
                                                                                                                • Instruction Fuzzy Hash: BFB1D330B143409FDB15DB38C44479EBBA2AF85318F29C1ABD5089F3A6E775DC4A8752
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3bc7a8ff033568ee2314fe29f159a3fafe27404a6a202cd2bbbf144eb63fef3a
                                                                                                                • Instruction ID: 7a520dcdc74f748c00ffcae13b8c99290700fb28ed77d7f3082a07df5571f6a3
                                                                                                                • Opcode Fuzzy Hash: 3bc7a8ff033568ee2314fe29f159a3fafe27404a6a202cd2bbbf144eb63fef3a
                                                                                                                • Instruction Fuzzy Hash: 3AC15A70A00609DFCB15EFA9C884EAEBBF2BF48714F15855AE905AB3A1D770ED41CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 982ba34d3bf591e0fdf0156b00f70482094fc08c2a081dd0ca5e51ca04c0fc88
                                                                                                                • Instruction ID: 88e476467fd9d30856a55555d788541c281a4fffda5829ef121515709e37d3c0
                                                                                                                • Opcode Fuzzy Hash: 982ba34d3bf591e0fdf0156b00f70482094fc08c2a081dd0ca5e51ca04c0fc88
                                                                                                                • Instruction Fuzzy Hash: A57102307042158FDB2AAB3CD8547BEBBA6AF89210F19446BE546CB3A1DF34DC41CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a021e0a5e80f8fb317e144d503136b85b690d879efe1728ada286f9abcfd3db9
                                                                                                                • Instruction ID: 69ba1d3bfcb925bb41258c900eb8033f41372dd7ccbbaab76ecdafbf4f92bcfa
                                                                                                                • Opcode Fuzzy Hash: a021e0a5e80f8fb317e144d503136b85b690d879efe1728ada286f9abcfd3db9
                                                                                                                • Instruction Fuzzy Hash: 88813230B0A3C14FD706EB799814A5A7FF29B86204B1984F7D548DF6A3DA78DC0AC751
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: aa1330544e8a23f61622e8f7fbafc76ebc289fa6b2003322697ce0ab3db4543d
                                                                                                                • Instruction ID: 835b55f0a382386ec3510cf8b0f9112b5b0d6faf28509618165a9daee8c151d0
                                                                                                                • Opcode Fuzzy Hash: aa1330544e8a23f61622e8f7fbafc76ebc289fa6b2003322697ce0ab3db4543d
                                                                                                                • Instruction Fuzzy Hash: DA914B31A042598FCB15EF69C884AAEBBB5FF45310F1684AAE9159F372C770EC41CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1804e7b7410948835169cb7f68aa1fa5d4877f9f71fdaf9c39e3970b50fade90
                                                                                                                • Instruction ID: 36376e5cd2e2037851a71208728b4e887c48803de2b1ca6792db1eb1a04f199e
                                                                                                                • Opcode Fuzzy Hash: 1804e7b7410948835169cb7f68aa1fa5d4877f9f71fdaf9c39e3970b50fade90
                                                                                                                • Instruction Fuzzy Hash: D35169717141058FDB14EE3EC884A6EBBE9FF48A5071544AAE916CB372DB31EC018B60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a8e8b603d9a3a76f0807b25de6000a7c22a7d3fce5257d570ee2c4e1ae6f0861
                                                                                                                • Instruction ID: 9a624be5f4d962fb16c658fd2ff26d38fa9df4937b484a18bc9428543e9ca793
                                                                                                                • Opcode Fuzzy Hash: a8e8b603d9a3a76f0807b25de6000a7c22a7d3fce5257d570ee2c4e1ae6f0861
                                                                                                                • Instruction Fuzzy Hash: EA510434E112189FCB14EFB4E9587AEBBF6BF88204F1084A9E509E7354EF3499458F50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 27ce3e2ce3afcd822b50f4cf83c9293cfa4989e4885292be2628656c90e4357b
                                                                                                                • Instruction ID: 840351e643b55631ef4cfd1b103935bbb97d5b5c4e9c3e73239b24051f2c0c3b
                                                                                                                • Opcode Fuzzy Hash: 27ce3e2ce3afcd822b50f4cf83c9293cfa4989e4885292be2628656c90e4357b
                                                                                                                • Instruction Fuzzy Hash: 5E4191313042458FCB1AAF28E8546AE3BB6EF89355B05807AE509CF761DB38CC16CB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9c3b5286a6f7d2eb9d6169318f89bbbf5045ac497b8d105343c0ef9c217f8e62
                                                                                                                • Instruction ID: 89cc1b346966d25fdc94d1c8a71f06af0ad1bb832a0fc82433185bec539f6e64
                                                                                                                • Opcode Fuzzy Hash: 9c3b5286a6f7d2eb9d6169318f89bbbf5045ac497b8d105343c0ef9c217f8e62
                                                                                                                • Instruction Fuzzy Hash: D5412774610119DFDB15AF28C888AAE7BB6FF88710F10406AF9169B3B1CB31ED41CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e28c96485f8633725481c37d203a28286d9c5bb1545bd5cb4019fe6c38378c5
                                                                                                                • Instruction ID: 5b1ff4b40f76499cb39ed2631e667377d35c0bda04c3f699217ba59e1d0526e6
                                                                                                                • Opcode Fuzzy Hash: 2e28c96485f8633725481c37d203a28286d9c5bb1545bd5cb4019fe6c38378c5
                                                                                                                • Instruction Fuzzy Hash: 1A31A134B102145FDB05AB7894582AE7BE3EFC8204B5455B9E40ADB399DF38DC06CB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c029ab2593f9cb2151f61767baabbeba22ade4d02109d97f38644fc812a057af
                                                                                                                • Instruction ID: 9aaad6cf76724042ec30d50147053a1cb8188cb5d1b2d1471d609c42e7239ae8
                                                                                                                • Opcode Fuzzy Hash: c029ab2593f9cb2151f61767baabbeba22ade4d02109d97f38644fc812a057af
                                                                                                                • Instruction Fuzzy Hash: A131A731F042058FCB01EBBCD8049AE77F2EB89614B558077D509E7351EB34AC068BA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c755adccda56a10272891ff8a4d8dacd37ee86e033915f7ec7d35e1a7804ae6a
                                                                                                                • Instruction ID: a540dcf190d01f3c23400ee1da64db2e6711d0e80794e80c849a01ed2e69a292
                                                                                                                • Opcode Fuzzy Hash: c755adccda56a10272891ff8a4d8dacd37ee86e033915f7ec7d35e1a7804ae6a
                                                                                                                • Instruction Fuzzy Hash: FC2171313046154BDB1A7E39C49527E7ADBBFC4918B14803AD902CB7A6DE35C8439781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e70361c6b5050b9676500eddd4e137a0688eab7760bbd5ffdaff99be2d0037e3
                                                                                                                • Instruction ID: d7ed2e99849dd7590ea24d1175621cf153c74992922846fac58dc5998e591ae6
                                                                                                                • Opcode Fuzzy Hash: e70361c6b5050b9676500eddd4e137a0688eab7760bbd5ffdaff99be2d0037e3
                                                                                                                • Instruction Fuzzy Hash: ED213D303046154BEB167E29D4A477E7A9BBFC4A18F14803AD902CB7A6DA79CC439791
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cb79dd7a9c429b7b7e93807f876231228ea1fcb22cb6d2384afee92b89bd19c6
                                                                                                                • Instruction ID: 2af4c25113be4ba58a1fa1836c54306c0eb8356c9955c63fa7a56a82813be88b
                                                                                                                • Opcode Fuzzy Hash: cb79dd7a9c429b7b7e93807f876231228ea1fcb22cb6d2384afee92b89bd19c6
                                                                                                                • Instruction Fuzzy Hash: D13141316001099FCF06AF59D854ABF7FA6EB88711F048027FA1697361CB35CD62DBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2c613c3c9b495f23351b0153945cca54afd2ffe039fd95469f20a4b4647a25ef
                                                                                                                • Instruction ID: 7cafec50230345724a9331c65727f6fdc4332baba7af9ced2e5a3a54845db208
                                                                                                                • Opcode Fuzzy Hash: 2c613c3c9b495f23351b0153945cca54afd2ffe039fd95469f20a4b4647a25ef
                                                                                                                • Instruction Fuzzy Hash: 3021A0327081598BEB00DE2BD840AAF7BA9FB45A10F058436F906C7361EB35D801C7A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1372b783296defb448bc3e1ea9ce343ffe7781797ec7d69b4e9ead6c70752c47
                                                                                                                • Instruction ID: a5c06632fa9fcffedd5c43a10a8df0d306dfe1b59420ca2d7b787be962c98922
                                                                                                                • Opcode Fuzzy Hash: 1372b783296defb448bc3e1ea9ce343ffe7781797ec7d69b4e9ead6c70752c47
                                                                                                                • Instruction Fuzzy Hash: 6211E331F013094FCB55AB7898187AF7BE69B86250F2544B7D509EB356EE38CC0687E1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9647316e7d37b8dfc54be4b0ac70281fdb4d0a67d3b7ed421febd8066dd2252d
                                                                                                                • Instruction ID: 1939df07f725b65576497d0bd171a13573a14e3345415d4f8c3c737418c9f1f4
                                                                                                                • Opcode Fuzzy Hash: 9647316e7d37b8dfc54be4b0ac70281fdb4d0a67d3b7ed421febd8066dd2252d
                                                                                                                • Instruction Fuzzy Hash: C91191353019118FD7196A2DD8A5A7FB7A6EB84A95B19407BE906CB360CF30DC038B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1960fe960a452a9ba86affa75b639d400e6175b2e075875a938e3ed5af635276
                                                                                                                • Instruction ID: e6c8140c42ba66c03fbdc02f80da63e4890df7e7802b3c76f9761e9e4f1464b9
                                                                                                                • Opcode Fuzzy Hash: 1960fe960a452a9ba86affa75b639d400e6175b2e075875a938e3ed5af635276
                                                                                                                • Instruction Fuzzy Hash: 55114920B4E3C04FD3039B7888246667FA29B87204F29C0E3D584DB6A7D679CD0AC762
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e7f4bcae248e9e74bc9fbd4f7d6537351504f32f45f7026da9a6860ffd1a312
                                                                                                                • Instruction ID: bb85415682b42ea2ed210d780a8125f26f5390d72372e29220d633ccaab77b90
                                                                                                                • Opcode Fuzzy Hash: 2e7f4bcae248e9e74bc9fbd4f7d6537351504f32f45f7026da9a6860ffd1a312
                                                                                                                • Instruction Fuzzy Hash: D711A171F012158FCB51EB7898146AF7BF2AF95254F2880BBD509DB396EB38CC0587A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a4c6658e1c902a81b7456d91007c40e2ee686801392be4f3f2701093c9a91260
                                                                                                                • Instruction ID: c31a84b868eacc41170b7db1946d91eca79cacf44994398efbf2b2bd4ad8342e
                                                                                                                • Opcode Fuzzy Hash: a4c6658e1c902a81b7456d91007c40e2ee686801392be4f3f2701093c9a91260
                                                                                                                • Instruction Fuzzy Hash: 26116A71E0121A9FCB01EFACC8406AEBBB5FF88211F10842BE915E7351D7748A15CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9c9e8c0891b8ed7452d955d61e9c5a5176ab64709307f02ec691916c0da9dc35
                                                                                                                • Instruction ID: 4edb2cd9518b115a3386d666b8a8d38fd33489ecf0fe6d2b5578495a7749ad7e
                                                                                                                • Opcode Fuzzy Hash: 9c9e8c0891b8ed7452d955d61e9c5a5176ab64709307f02ec691916c0da9dc35
                                                                                                                • Instruction Fuzzy Hash: BD01B132B001196FDB05AE689810BEF3AAADBC8750F18802BFA05D7380DA7198129790
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e5a98cfd969f41199701f07065ac26e4f4bf833ae673cb2c16ff99e8000d8c76
                                                                                                                • Instruction ID: af03873d3c26fd814150e1efb8c6dcdf27b6a17b9499508749681f6de08916e1
                                                                                                                • Opcode Fuzzy Hash: e5a98cfd969f41199701f07065ac26e4f4bf833ae673cb2c16ff99e8000d8c76
                                                                                                                • Instruction Fuzzy Hash: 01F0E972D052449FC741EBBDD84819E7FF5EF8E211B1550B7E509D3211EA704A06CBD0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3cc8a971a25c9e2c1113ef80c8b0911c6f923a8ee92dad4e96fb1de8f1d7b91c
                                                                                                                • Instruction ID: 75f4145ef52242785424b9d5b34950a848b731a1281bac9a003942da32e399a5
                                                                                                                • Opcode Fuzzy Hash: 3cc8a971a25c9e2c1113ef80c8b0911c6f923a8ee92dad4e96fb1de8f1d7b91c
                                                                                                                • Instruction Fuzzy Hash: 92E0ED35F504148B8F00FBF8D8545DDB3F2FB98210B008075E909E73A4EE349D128B61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 109e7a385a4cda985c2909db9dddce3d02ce6f6405e579901d9f76818386cdd5
                                                                                                                • Instruction ID: d9fbf39b04ec23f3b12310ad8e7735cf3805318e70d17289f9f9bec97702972f
                                                                                                                • Opcode Fuzzy Hash: 109e7a385a4cda985c2909db9dddce3d02ce6f6405e579901d9f76818386cdd5
                                                                                                                • Instruction Fuzzy Hash: 81E0ED35F104148B8F00FBF8D8549DDB3F2EB98211B108076E90AE7354DE349D168B61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4870d8e6744c0f1acaa8061cdf01eeb8a6486c719a4fae3b5c92a139b2f67853
                                                                                                                • Instruction ID: 1fc07876a2c4798b4919bcc4267530503c2644c6aa7e73d80b50ecaa6f19ddc7
                                                                                                                • Opcode Fuzzy Hash: 4870d8e6744c0f1acaa8061cdf01eeb8a6486c719a4fae3b5c92a139b2f67853
                                                                                                                • Instruction Fuzzy Hash: A9E0C939B102188F8F44EBB8E85999D77F2FB88221B018465E906E3354DE34AD12CB61
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 47801ec4bf616a83c2e404302684dc25b7c983ed19e31fba4eef4834ef23935f
                                                                                                                • Instruction ID: c0d8b4f3363044caff77ec8e097084ac5780c71166761990005dcf8fae26449a
                                                                                                                • Opcode Fuzzy Hash: 47801ec4bf616a83c2e404302684dc25b7c983ed19e31fba4eef4834ef23935f
                                                                                                                • Instruction Fuzzy Hash: 99E01275E001199F8750EBBDA8495AE7AF9EA8C211B104476E509D3200EA7049018BD1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 983976e3a36aa77f7af8b12e00944bd5b702eb591cd517592cdbdda76d53989f
                                                                                                                • Instruction ID: df990c934f6e895ecc64990210d54be0749593a177c1e8815d3c24bec988c415
                                                                                                                • Opcode Fuzzy Hash: 983976e3a36aa77f7af8b12e00944bd5b702eb591cd517592cdbdda76d53989f
                                                                                                                • Instruction Fuzzy Hash: EFD0A730198A090BE380AB74E8877BA372AD7C020CF64D971B10C86264DF7CD81A5BC2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9b4dfea168b28fa07fca8cdcd44b0188e6014a1158c4a8cead456ae78bcbbadb
                                                                                                                • Instruction ID: 63c0502be7490442d8cab6c94f534edfbadb855d1818c33efdfb1d14f26bad48
                                                                                                                • Opcode Fuzzy Hash: 9b4dfea168b28fa07fca8cdcd44b0188e6014a1158c4a8cead456ae78bcbbadb
                                                                                                                • Instruction Fuzzy Hash: 5BC012305587094A8244EF74F445477375BD7C020C340D931B1084A164DF7C99155785
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000007.00000002.907077371.0000000001480000.00000040.00000001.sdmp, Offset: 01480000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: #l$#l$#l$#l
                                                                                                                • API String ID: 0-1059362456
                                                                                                                • Opcode ID: 7fafff5d79889c991c7a4f678cd20d5f2ac70dae8d1148e3fc010cb22de62314
                                                                                                                • Instruction ID: 8dfcb0cf279ccdc79610deef838c5ca661996c4bb13e190afc9f41d6509d67b0
                                                                                                                • Opcode Fuzzy Hash: 7fafff5d79889c991c7a4f678cd20d5f2ac70dae8d1148e3fc010cb22de62314
                                                                                                                • Instruction Fuzzy Hash: E6019E317100258F9714AA2DC02092FB7A9AFEAF65715417BF605CB370DB30DC438781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%