Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Swift_Copy.exe

Overview

General Information

Sample Name:Swift_Copy.exe
Analysis ID:385478
MD5:7c315e5221144ebe207421fcf5578985
SHA1:2d337a4c65ef709607da501c87f3127e61356e2f
SHA256:c9cf74378c0ab6240ef866be3673dd54a46b36ccf58a7c9036344f96fb812aee
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Swift_Copy.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\Swift_Copy.exe' MD5: 7C315E5221144EBE207421FCF5578985)
    • schtasks.exe (PID: 2192 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Swift_Copy.exe (PID: 5952 cmdline: C:\Users\user\Desktop\Swift_Copy.exe MD5: 7C315E5221144EBE207421FCF5578985)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Swift_Copy.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.Swift_Copy.exe.a576e18.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.Swift_Copy.exe.a576e18.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift_Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift_Copy.exe, ParentProcessId: 7016, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp', ProcessId: 2192

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.Swift_Copy.exe.a576e18.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "result.package@yandex.ruBlessing123smtp.yandex.ru"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\NiUISpmncyqd.exeReversingLabs: Detection: 31%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Swift_Copy.exeVirustotal: Detection: 31%Perma Link
                  Source: Swift_Copy.exeReversingLabs: Detection: 31%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\NiUISpmncyqd.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: Swift_Copy.exeJoe Sandbox ML: detected
                  Source: 7.2.Swift_Copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                  Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: Swift_Copy.exe, 00000001.00000002.684215744.00000000086D0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.909358793.00000000011C0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                  Source: global trafficTCP traffic: 192.168.2.4:49761 -> 77.88.21.158:587
                  Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                  Source: global trafficTCP traffic: 192.168.2.4:49761 -> 77.88.21.158:587
                  Source: unknownDNS traffic detected: queries for: smtp.yandex.ru
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.910470938.000000000325E000.00000004.00000001.sdmpString found in binary or memory: http://M7Hwvg39EZsNS3.net
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: http://Mjyucn.com
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Swift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: Swift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                  Source: Swift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
                  Source: Swift_Copy.exe, 00000001.00000003.647008291.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfachUD
                  Source: Swift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Swift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlaywU
                  Source: Swift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
                  Source: Swift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comonaEUo
                  Source: Swift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comy
                  Source: Swift_Copy.exe, 00000001.00000003.647330238.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypo
                  Source: Swift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypol;
                  Source: Swift_Copy.exe, 00000001.00000003.647622574.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comypooo
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Swift_Copy.exe, 00000001.00000003.656444196.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Swift_Copy.exe, 00000001.00000003.650057481.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers.R
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.650731068.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: Swift_Copy.exe, 00000001.00000003.649928925.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/o
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Swift_Copy.exe, 00000001.00000003.650536948.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Swift_Copy.exe, 00000001.00000003.650341989.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersORe
                  Source: Swift_Copy.exe, 00000001.00000003.651716227.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersR
                  Source: Swift_Copy.exe, 00000001.00000003.649972151.00000000056FC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                  Source: Swift_Copy.exe, 00000001.00000003.651436325.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersuR
                  Source: Swift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comE.TTF
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comO=
                  Source: Swift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comak=
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed3=
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF$=
                  Source: Swift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commr=
                  Source: Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comr=
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Swift_Copy.exe, 00000001.00000003.645259047.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
                  Source: Swift_Copy.exe, 00000001.00000003.646769974.00000000056CB000.00000004.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646524857.00000000056C4000.00000004.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
                  Source: Swift_Copy.exe, 00000001.00000003.646684294.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/$
                  Source: Swift_Copy.exe, 00000001.00000003.646684294.00000000056C4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/TS
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnj
                  Source: Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-r
                  Source: Swift_Copy.exe, 00000001.00000003.653279079.00000000056CD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Swift_Copy.exe, 00000001.00000003.645172427.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
                  Source: Swift_Copy.exe, 00000001.00000003.645092939.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn
                  Source: Swift_Copy.exe, 00000001.00000003.645172427.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comriwnD
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646116742.00000000056C6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Swift_Copy.exe, 00000001.00000003.645469714.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
                  Source: Swift_Copy.exe, 00000001.00000003.645560443.00000000056DB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: Swift_Copy.exe, 00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 7.2.Swift_Copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b272E5407u002d5526u002d43EAu002dBB1Fu002d218C2EA70DDBu007d/u0039277F006u002d78E0u002d4746u002dB03Bu002d8BB250349926.csLarge array initialization: .cctor: array initializer size 11954
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_06850FEA NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0685115A NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_06850FC8 NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0685111F NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0130B0BA NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0130B089 NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538ED30
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053825D8
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538342A
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05383060
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053830B0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538E8D0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053854C8
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05384388
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05386380
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05384B80
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538B7C0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053822A8
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05387D35
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053885B0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053825C9
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388038
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05383820
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388410
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388400
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05389058
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388040
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053870B0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053870AA
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053830A2
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05386339
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538BFBE
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05384382
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05384FE9
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538BFC0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538C639
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538DE30
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388210
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_05388201
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538BA70
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538BA61
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0538C648
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_053862AD
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B371120
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372511
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B371518
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B371B68
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B374069
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B37285F
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B371514
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B37111C
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372B0C
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B371B63
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372A76
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372A5F
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372A9E
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_0B372AD0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A8FA8
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012AA9E0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012AF008
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A5818
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A9E70
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A0070
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012AD6C4
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A8F98
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012A0006
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012B0070
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012B4D98
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012B41E8
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012B23E0
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012B63F1
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_052F5018
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_052F0A98
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_052F76D8
                  Source: Swift_Copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: NiUISpmncyqd.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Swift_Copy.exe, 00000001.00000002.672910086.0000000000BD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHandle.exe: vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.673997999.0000000003260000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.685093468.000000000B5F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.685223357.000000000B6F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.685223357.000000000B6F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.684305050.00000000088B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.684215744.00000000086D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000001.00000002.674224467.00000000041D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000000.672248020.0000000000B22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHandle.exe: vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.911340858.00000000053E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.909473894.00000000012D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.909459072.00000000012C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameDywYPVsnvvkYPYwtfgclREFLpEPsDjOMvhyaXVq.exe4 vs Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.909358793.00000000011C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Swift_Copy.exe
                  Source: Swift_Copy.exeBinary or memory string: OriginalFilenameSafeIsolatedStorageFileHandle.exe: vs Swift_Copy.exe
                  Source: Swift_Copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: NiUISpmncyqd.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 7.2.Swift_Copy.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 7.2.Swift_Copy.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_06850D46 AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_06850D0F AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0130AF3E AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_0130AF07 AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\NiUISpmncyqd.exeJump to behavior
                  Source: C:\Users\user\Desktop\Swift_Copy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Users\user\Desktop\Swift_Copy.exeMutant created: \Sessions\1\BaseNamedObjects\wwmXABTkzyJBHUnGuFJjmL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6587.tmpJump to behavior
                  Source: Swift_Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: Swift_Copy.exeVirustotal: Detection: 31%
                  Source: Swift_Copy.exeReversingLabs: Detection: 31%
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile read: C:\Users\user\Desktop\Swift_Copy.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Swift_Copy.exe 'C:\Users\user\Desktop\Swift_Copy.exe'
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exe
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp'
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exe
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Swift_Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                  Source: Swift_Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: mscorrc.pdb source: Swift_Copy.exe, 00000001.00000002.684215744.00000000086D0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.909358793.00000000011C0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_014D7DB0 push ecx; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.81058952683
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.81058952683
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile created: C:\Users\user\AppData\Roaming\NiUISpmncyqd.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp'
                  Source: C:\Users\user\Desktop\Swift_Copy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7016, type: MEMORY
                  Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFunction Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,keyOpened
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWindow / User API: threadDelayed 615
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7020Thread sleep time: -104024s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 7056Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6612Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6612Thread sleep count: 615 > 30
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6612Thread sleep time: -18450000s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6612Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exe TID: 6612Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Swift_Copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Swift_Copy.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Swift_Copy.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 104024
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 30000
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 30000
                  Source: C:\Users\user\Desktop\Swift_Copy.exeThread delayed: delay time: 30000
                  Source: Swift_Copy.exe, 00000007.00000002.911340858.00000000053E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: Swift_Copy.exe, 00000007.00000002.909252575.0000000001129000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: Swift_Copy.exe, 00000007.00000002.909252575.0000000001129000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\j
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Swift_Copy.exe, 00000007.00000002.911340858.00000000053E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: Swift_Copy.exe, 00000007.00000002.911340858.00000000053E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: Swift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: Swift_Copy.exe, 00000007.00000002.911340858.00000000053E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 7_2_012ABEF0 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Swift_Copy.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeMemory written: C:\Users\user\Desktop\Swift_Copy.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp'
                  Source: C:\Users\user\Desktop\Swift_Copy.exeProcess created: C:\Users\user\Desktop\Swift_Copy.exe C:\Users\user\Desktop\Swift_Copy.exe
                  Source: Swift_Copy.exe, 00000007.00000002.909722053.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: Swift_Copy.exe, 00000007.00000002.909722053.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Swift_Copy.exe, 00000007.00000002.909722053.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: Swift_Copy.exe, 00000007.00000002.909722053.00000000017F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\Swift_Copy.exeCode function: 1_2_013BB0BE GetUserNameW,
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7016, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 5952, type: MEMORY
                  Source: Yara matchFile source: 7.2.Swift_Copy.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Swift_Copy.exe.a576e18.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Swift_Copy.exe.a576e18.8.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\Swift_Copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\Swift_Copy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 5952, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 7016, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Swift_Copy.exe PID: 5952, type: MEMORY
                  Source: Yara matchFile source: 7.2.Swift_Copy.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Swift_Copy.exe.a576e18.8.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.Swift_Copy.exe.a576e18.8.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools11OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery321SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion141Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 385478 Sample: Swift_Copy.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 7 other signatures 2->35 7 Swift_Copy.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...19iUISpmncyqd.exe, PE32 7->19 dropped 21 C:\Users\...21iUISpmncyqd.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp6587.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\Swift_Copy.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 2 other signatures 7->43 11 Swift_Copy.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49761, 587 YANDEXRU Russian Federation 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Swift_Copy.exe32%VirustotalBrowse
                  Swift_Copy.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  Swift_Copy.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\NiUISpmncyqd.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\NiUISpmncyqd.exe31%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  7.2.Swift_Copy.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://www.fontbureau.comO=0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://M7Hwvg39EZsNS3.net0%Avira URL Cloudsafe
                  http://www.carterandcone.comams0%Avira URL Cloudsafe
                  http://www.fontbureau.comituF$=0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.carterandcone.comlaywU0%Avira URL Cloudsafe
                  http://www.carterandcone.comypooo0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.fontbureau.comak=0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/TS0%Avira URL Cloudsafe
                  http://www.carterandcone.comypo0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cnj0%Avira URL Cloudsafe
                  http://www.fontbureau.comB.TTF0%URL Reputationsafe
                  http://www.fontbureau.comB.TTF0%URL Reputationsafe
                  http://www.fontbureau.comB.TTF0%URL Reputationsafe
                  http://www.sajatypeworks.comriwnD0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://www.fontbureau.comessed3=0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.comd0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://api.ipify.org%0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://www.sajatypeworks.comn0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://www.galapagosdesign.com/0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.fontbureau.comr=0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.carterandcone.comTC0%URL Reputationsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.founder.com.cn/cnu-r0%Avira URL Cloudsafe
                  http://www.carterandcone.comfachUD0%Avira URL Cloudsafe
                  http://www.fontbureau.comd0%URL Reputationsafe
                  http://www.fontbureau.comd0%URL Reputationsafe
                  http://www.fontbureau.comd0%URL Reputationsafe
                  http://www.fonts.comX0%URL Reputationsafe
                  http://www.fonts.comX0%URL Reputationsafe
                  http://www.fonts.comX0%URL Reputationsafe
                  http://www.carterandcone.comonaEUo0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn.0%Avira URL Cloudsafe
                  http://www.carterandcone.comint0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  smtp.yandex.ru
                  		77.88.21.158
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comO=Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.founder.com.cn/cn/bTheSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers.RSwift_Copy.exe, 00000001.00000003.650057481.00000000056FC000.00000004.00000001.sdmpfalse
                          		high
                          http://M7Hwvg39EZsNS3.netSwift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.910470938.000000000325E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.carterandcone.comamsSwift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersuRSwift_Copy.exe, 00000001.00000003.651436325.00000000056F5000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comituF$=Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlaywUSwift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersSwift_Copy.exe, 00000001.00000003.656444196.00000000056F5000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.comypoooSwift_Copy.exe, 00000001.00000003.647622574.00000000056FE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comSwift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comak=Swift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.founder.com.cn/cn/TSSwift_Copy.exe, 00000001.00000003.646684294.00000000056C4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSwift_Copy.exe, 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comypoSwift_Copy.exe, 00000001.00000003.647330238.00000000056FE000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designersRSwift_Copy.exe, 00000001.00000003.651716227.00000000056F5000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnjSwift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersOReSwift_Copy.exe, 00000001.00000003.650341989.00000000056FC000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comB.TTFSwift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comriwnDSwift_Copy.exe, 00000001.00000003.645172427.00000000056DB000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%GETMozilla/5.0Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://www.fontbureau.comessed3=Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.fonts.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646116742.00000000056C6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comdSwift_Copy.exe, 00000001.00000003.645172427.00000000056DB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designerspSwift_Copy.exe, 00000001.00000003.649972151.00000000056FC000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sakkal.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%Swift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		low
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSwift_Copy.exe, 00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmp, Swift_Copy.exe, 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comnSwift_Copy.exe, 00000001.00000003.645092939.00000000056DB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/Swift_Copy.exe, 00000001.00000003.653279079.00000000056CD000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://DynDns.comDynDNSSwift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comr=Swift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSwift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comTCSwift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.tiro.comnSwift_Copy.exe, 00000001.00000003.645560443.00000000056DB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnu-rSwift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comfachUDSwift_Copy.exe, 00000001.00000003.647008291.00000000056FE000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comdSwift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comXSwift_Copy.exe, 00000001.00000003.645259047.00000000056DB000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comonaEUoSwift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.carterandcone.comlSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn.Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comintSwift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cnSwift_Copy.exe, 00000001.00000003.646769974.00000000056CB000.00000004.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646524857.00000000056C4000.00000004.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.646509059.00000000056FD000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlSwift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmp, Swift_Copy.exe, 00000001.00000003.650731068.00000000056FC000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.commr=Swift_Copy.exe, 00000001.00000003.672581470.00000000056C0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.carterandcone.comypol;Swift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://Mjyucn.comSwift_Copy.exe, 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.carterandcone.comySwift_Copy.exe, 00000001.00000003.647185341.00000000056FE000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cn/$Swift_Copy.exe, 00000001.00000003.646684294.00000000056C4000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8Swift_Copy.exe, 00000001.00000002.679315929.00000000057C0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/oSwift_Copy.exe, 00000001.00000003.649928925.00000000056FC000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.carterandcone.comncySwift_Copy.exe, 00000001.00000003.647260344.00000000056FE000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers:Swift_Copy.exe, 00000001.00000003.650536948.00000000056FC000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.tiro.comhSwift_Copy.exe, 00000001.00000003.645469714.00000000056DB000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.comE.TTFSwift_Copy.exe, 00000001.00000003.651955584.00000000056C4000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        77.88.21.158
                                                        		smtp.yandex.ruRussian Federation
                                                        		13238YANDEXRUfalse

                                                        General Information

                                                        Joe Sandbox Version:31.0.0 Emerald
                                                        Analysis ID:385478
                                                        Start date:12.04.2021
                                                        Start time:15:20:24
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 8m 39s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:Swift_Copy.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:21
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@6/4@1/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                        • Quality average: 40%
                                                        • Quality standard deviation: 28.5%
                                                        HCA Information:
                                                        • Successful, ratio: 96%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 104.43.139.144, 52.147.198.201, 13.88.21.125, 168.61.161.212, 20.50.102.62, 104.43.193.48, 92.122.213.247, 92.122.213.194, 52.155.217.156, 2.20.142.209, 2.20.142.210, 20.54.26.129, 20.82.209.183, 40.88.32.150, 104.42.151.234
                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        15:21:17API Interceptor904x Sleep call for process: Swift_Copy.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        77.88.21.158Customer ID 2199201992001.xlsxGet hashmaliciousBrowse
                                                          UOB_BANK_MT104_SCAN.exeGet hashmaliciousBrowse
                                                            zq17jG57TX.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Trojan.GenericKD.36663460.22787.exeGet hashmaliciousBrowse
                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                  Swift_Copy.exeGet hashmaliciousBrowse
                                                                    C6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                      RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                        AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                          SWIFT.exeGet hashmaliciousBrowse
                                                                            Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                              cricket.exeGet hashmaliciousBrowse
                                                                                SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                  Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                    Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                      RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                        TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                          Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                            DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                              REQUEST QUOTATION BID..pdf.exeGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                smtp.yandex.ruCustomer ID 2199201992001.xlsxGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                UOB_BANK_MT104_SCAN.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                zq17jG57TX.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SecuriteInfo.com.Trojan.GenericKD.36663460.22787.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                qINcOlwRud.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Swift_Copy.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                C6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SWIFT.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                YANDEXRUCustomer ID 2199201992001.xlsxGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                UOB_BANK_MT104_SCAN.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                zq17jG57TX.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SecuriteInfo.com.Trojan.GenericKD.36663460.22787.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Swift_Copy.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                C6RET8T1Wi.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                RFQ# ZAT77095_pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SWIFT.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Payment _Advice (2).exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                SG1_000000123205044_1.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Ordine d'acquisto 240517_04062021.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                _VmailMessage_Wave19922626.htmlGet hashmaliciousBrowse
                                                                                                • 77.88.21.179
                                                                                                Order 01042021-V728394-H16.pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                RFQ#EX50GO_pdf.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                TRANSACTION_INTTRANSFER_1617266945242 MEDICON_PDF.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                Shandong CIRS Form.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158
                                                                                                DHL_DELIVERY_CONFIRMATION_CBJ002042021068506.exeGet hashmaliciousBrowse
                                                                                                • 77.88.21.158

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Swift_Copy.exe.log
                                                                                                Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):664
                                                                                                Entropy (8bit):5.288448637977022
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                                                MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                                                SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                                                SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                                                SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                                                Malicious:true
                                                                                                Reputation:moderate, very likely benign file
                                                                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                                                C:\Users\user\AppData\Local\Temp\tmp6587.tmp
                                                                                                Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1645
                                                                                                Entropy (8bit):5.180730639398364
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGtAtn:cbhK79lNQR/rydbz9I3YODOLNdq34W
                                                                                                MD5:8D02A2C41969C722FCF30BA28EB49DA5
                                                                                                SHA1:24244639536F0DCCF04E7E59F034FC026E8AC465
                                                                                                SHA-256:EAE2226E24CD6342A64C4D28D5F5B7695E4B4FA26933A9B3A5D20908EFF1F565
                                                                                                SHA-512:F8EA50EBB4204C3E8E5EE2D4D461EB0EC338180071B50D5170C313CC5E0EA9E4D7E64501E4B19287B3390677D343B52856B1333E8E44C5419BEB9DA50AEB32B5
                                                                                                Malicious:true
                                                                                                Reputation:low
                                                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                                                                C:\Users\user\AppData\Roaming\NiUISpmncyqd.exe
                                                                                                Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):684544
                                                                                                Entropy (8bit):7.441452446452719
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:i4enOh6dI9C8l7y0aTrhdgepi7xMU76P1wPGL45eYKcDQIBdHKsMjvLeh:zGE7ylrvgeFU7QSuE5ebcBdqnvLeh
                                                                                                MD5:7C315E5221144EBE207421FCF5578985
                                                                                                SHA1:2D337A4C65EF709607DA501C87F3127E61356E2F
                                                                                                SHA-256:C9CF74378C0AB6240EF866BE3673DD54A46B36CCF58A7C9036344F96FB812AEE
                                                                                                SHA-512:9E6CB34B5F61BBA7320D66B7BF9A26DC09BB577B8CD630D41242A7ED062969D45B4322F4C242567F23EBA416B46421D4529A908AD5BE16FC00ABB9948ACD9DDB
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 31%
                                                                                                Reputation:low
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P.............j.... ... ....@.. ....................................@.....................................O.... .............................................................................. ............... ..H............text........ ...................... ..`.rsrc....... ......................@..@.reloc...............p..............@..B................L.......H...........L............... H...........................................0............(#...($.........(.....o%....*.....................(&......('......((......()......(*....*N..(....o....(+....*&..(,....*.s-........s.........s/........s0........s1........*....0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*.0...........~....o5....+..*.0...........~....o6....+..*.0..<........~.....(7.....,!r...p.....(8...o9...s:............~.....+..*.0......
                                                                                                C:\Users\user\AppData\Roaming\NiUISpmncyqd.exe:Zone.Identifier
                                                                                                Process:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview: [ZoneTransfer]....ZoneId=0

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):7.441452446452719
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                File name:Swift_Copy.exe
                                                                                                File size:684544
                                                                                                MD5:7c315e5221144ebe207421fcf5578985
                                                                                                SHA1:2d337a4c65ef709607da501c87f3127e61356e2f
                                                                                                SHA256:c9cf74378c0ab6240ef866be3673dd54a46b36ccf58a7c9036344f96fb812aee
                                                                                                SHA512:9e6cb34b5f61bba7320d66b7bf9a26dc09bb577b8cd630d41242a7ed062969d45b4322f4c242567f23eba416b46421d4529a908ad5be16fc00abb9948acd9ddb
                                                                                                SSDEEP:12288:i4enOh6dI9C8l7y0aTrhdgepi7xMU76P1wPGL45eYKcDQIBdHKsMjvLeh:zGE7ylrvgeFU7QSuE5ebcBdqnvLeh
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P.............j.... ... ....@.. ....................................@................................

                                                                                                File Icon

                                                                                                Icon Hash:d28ab3b0e0ab96c4

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x48016a
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0x6073F386 [Mon Apr 12 07:15:18 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:v2.0.50727
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                or dword ptr [edx], ecx
                                                                                                or eax, 00000020h
                                                                                                add byte ptr [ecx+49h], cl
                                                                                                sub al, byte ptr [eax]
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                dec ebp
                                                                                                dec ebp
                                                                                                add byte ptr [edx], ch
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x801180x4f.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x28be8.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x7e1880x7e200False0.882034347126Intel 80386 COFF object file, not stripped, 8 sections, symbol offset=0x48, 327682 symbols, optional header size 570047.81058952683IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x820000x28be80x28c00False0.349471577837data5.40668860774IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0xac0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_ICON0x822b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                RT_ICON0x92ad80x94a8data
                                                                                                RT_ICON0x9bf800x5488data
                                                                                                RT_ICON0xa14080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                                RT_ICON0xa56300x25a8data
                                                                                                RT_ICON0xa7bd80x10a8data
                                                                                                RT_ICON0xa8c800x988data
                                                                                                RT_ICON0xa96080x468GLS_BINARY_LSB_FIRST
                                                                                                RT_GROUP_ICON0xa9a700x76data
                                                                                                RT_GROUP_ICON0xa9ae80x14data
                                                                                                RT_VERSION0xa9afc0x3c4data
                                                                                                RT_MANIFEST0xa9ec00xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                Translation0x0000 0x04b0
                                                                                                LegalCopyrightCopyright Adobe Inc, Sel 2011 - 2021
                                                                                                Assembly Version1.0.0.0
                                                                                                InternalNameSafeIsolatedStorageFileHandle.exe
                                                                                                FileVersion1.0.0.0
                                                                                                CompanyNameAdobe Inc, Sel
                                                                                                LegalTrademarks
                                                                                                Comments
                                                                                                ProductNameImage Studio
                                                                                                ProductVersion1.0.0.0
                                                                                                FileDescriptionImage Studio
                                                                                                OriginalFilenameSafeIsolatedStorageFileHandle.exe

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Apr 12, 2021 15:22:54.346390963 CEST49761587192.168.2.477.88.21.158
                                                                                                Apr 12, 2021 15:22:54.433274031 CEST5874976177.88.21.158192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.433454990 CEST49761587192.168.2.477.88.21.158
                                                                                                Apr 12, 2021 15:22:54.675438881 CEST5874976177.88.21.158192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.675848961 CEST49761587192.168.2.477.88.21.158
                                                                                                Apr 12, 2021 15:22:54.676445961 CEST49761587192.168.2.477.88.21.158
                                                                                                Apr 12, 2021 15:22:54.762717009 CEST5874976177.88.21.158192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.762747049 CEST5874976177.88.21.158192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.763138056 CEST5874976177.88.21.158192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.763267994 CEST49761587192.168.2.477.88.21.158
                                                                                                Apr 12, 2021 15:22:54.763299942 CEST49761587192.168.2.477.88.21.158

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Apr 12, 2021 15:21:04.814481974 CEST5453153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:04.872620106 CEST53545318.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:18.415958881 CEST4971453192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:18.464657068 CEST53497148.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:19.754889965 CEST5802853192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:19.805573940 CEST53580288.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:20.551693916 CEST5309753192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:20.600583076 CEST53530978.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:21.923937082 CEST4925753192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:21.972752094 CEST53492578.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:22.758521080 CEST6238953192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:22.807193041 CEST53623898.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:24.610006094 CEST4991053192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:24.661613941 CEST53499108.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:26.402741909 CEST5585453192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:26.454277992 CEST53558548.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:30.049638033 CEST6454953192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:30.098385096 CEST53645498.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:37.154692888 CEST6315353192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:37.203407049 CEST53631538.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:38.748816967 CEST5299153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:38.800419092 CEST53529918.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:42.871474981 CEST5370053192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:42.930630922 CEST53537008.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:48.848750114 CEST5172653192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:48.900338888 CEST53517268.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:50.776698112 CEST5679453192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:50.825323105 CEST53567948.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:58.736860991 CEST5653453192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:58.795701981 CEST53565348.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:59.458136082 CEST5662753192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:59.518275023 CEST53566278.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:21:59.769620895 CEST5662153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:21:59.828299046 CEST53566218.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:00.099821091 CEST6311653192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:00.156972885 CEST53631168.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:00.608100891 CEST6407853192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:00.665195942 CEST53640788.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:00.877737045 CEST6480153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:00.943867922 CEST53648018.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:01.404957056 CEST6172153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:01.453598976 CEST53617218.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:02.034857988 CEST5125553192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:02.094917059 CEST53512558.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:02.677016020 CEST6152253192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:02.728565931 CEST53615228.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:03.513921976 CEST5233753192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:03.571016073 CEST53523378.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:04.704343081 CEST5504653192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:04.761306047 CEST53550468.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:05.237303019 CEST4961253192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:05.294704914 CEST53496128.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:14.063190937 CEST4928553192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:14.114712000 CEST53492858.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:15.315243006 CEST5060153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:15.385335922 CEST53506018.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:44.961093903 CEST6087553192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:45.012701988 CEST53608758.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:46.033994913 CEST5644853192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:46.093497038 CEST53564488.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:46.276879072 CEST5917253192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:46.325532913 CEST53591728.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:47.381880045 CEST6242053192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:47.438931942 CEST53624208.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:48.212789059 CEST6057953192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:48.277633905 CEST53605798.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:53.278372049 CEST5018353192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:53.330122948 CEST53501838.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.211492062 CEST6153153192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:54.256355047 CEST4922853192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:54.262229919 CEST53615318.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:54.315794945 CEST53492288.8.8.8192.168.2.4
                                                                                                Apr 12, 2021 15:22:55.307904959 CEST5979453192.168.2.48.8.8.8
                                                                                                Apr 12, 2021 15:22:55.356748104 CEST53597948.8.8.8192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Apr 12, 2021 15:22:54.256355047 CEST192.168.2.48.8.8.80x3555Standard query (0)smtp.yandex.ruA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Apr 12, 2021 15:22:54.315794945 CEST8.8.8.8192.168.2.40x3555No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)

                                                                                                SMTP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                Apr 12, 2021 15:22:54.675438881 CEST5874976177.88.21.158192.168.2.4220 vla3-23c3b031fed5.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
                                                                                                Apr 12, 2021 15:22:54.675848961 CEST49761587192.168.2.477.88.21.158EHLO 724471
                                                                                                Apr 12, 2021 15:22:54.762747049 CEST5874976177.88.21.158192.168.2.4250-vla3-23c3b031fed5.qloud-c.yandex.net
                                                                                                250-8BITMIME
                                                                                                250-PIPELINING
                                                                                                250-SIZE 42991616
                                                                                                250-STARTTLS
                                                                                                250-AUTH LOGIN PLAIN XOAUTH2
                                                                                                250-DSN
                                                                                                250 ENHANCEDSTATUSCODES

                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: Swift_Copy.exe PID: 7016 Parent PID: 5164

                                                                                                General

                                                                                                Start time:15:21:10
                                                                                                Start date:12/04/2021
                                                                                                Path:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\Desktop\Swift_Copy.exe'
                                                                                                Imagebase:0xb40000
                                                                                                File size:684544 bytes
                                                                                                MD5 hash:7C315E5221144EBE207421FCF5578985
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.673934957.0000000003209000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.684677250.000000000A4D5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Analysis Process: schtasks.exe PID: 2192 Parent PID: 7016

                                                                                                General

                                                                                                Start time:15:21:22
                                                                                                Start date:12/04/2021
                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NiUISpmncyqd' /XML 'C:\Users\user\AppData\Local\Temp\tmp6587.tmp'
                                                                                                Imagebase:0x9b0000
                                                                                                File size:185856 bytes
                                                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: conhost.exe PID: 6672 Parent PID: 2192

                                                                                                General

                                                                                                Start time:15:21:23
                                                                                                Start date:12/04/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff724c50000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Analysis Process: Swift_Copy.exe PID: 5952 Parent PID: 7016

                                                                                                General

                                                                                                Start time:15:21:23
                                                                                                Start date:12/04/2021
                                                                                                Path:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\Desktop\Swift_Copy.exe
                                                                                                Imagebase:0xa90000
                                                                                                File size:684544 bytes
                                                                                                MD5 hash:7C315E5221144EBE207421FCF5578985
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.910330939.0000000003151000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.908724525.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >