Analysis Report SwiftCopy.pdf.exe

Overview

General Information

Sample Name: SwiftCopy.pdf.exe
Analysis ID: 432424
MD5: 5a13130ec1c4259c3f63fa48167ab094
SHA1: ec4a42085f6c4fd6fbd79705723c8d034f24ebad
SHA256: 85c856fe483e3a2ef7a4417693dc121c42673ac426cb8cf486fbe20b4825636a
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Suspicious Double Extension
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Group": "Ego come se", "Domain1": "sylviaoslh01.ddns.net", "Domain2": "194.5.98.31", "Port": 52943, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for domain / URL
Source: sylviaoslh01.ddns.net Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\xetNJdChYOitP.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: SwiftCopy.pdf.exe ReversingLabs: Detection: 44%
Yara detected Nanocore RAT
Source: Yara match File source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911022966.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xetNJdChYOitP.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SwiftCopy.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack Avira: Label: TR/NanoCore.fadte
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 32.0.dhcpmon.exe.400000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack Avira: Label: TR/NanoCore.fadte
Source: 32.2.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 32.0.dhcpmon.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: SwiftCopy.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: SwiftCopy.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: indows\System.pdbpdbtem.pdbon source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: indows\symbols\dll\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\hcUgzA.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: System.pdbM source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbILE source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: 1koC:\Windows\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.pdb& source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp
Source: Binary string: System.pdb H source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: indows\hcUgzA.pdbpdbgzA.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: .pdbSystem source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\BtHJZpKYpK\src\obj\Debug\hcUgzA.pdb source: SwiftCopy.pdf.exe
Source: Binary string: C:\Windows\System.pdb++wE source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: SwiftCopy.pdf.exe, 00000000.00000002.743183682.0000000006AF0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 0000000B.00000002.912263148.0000000005A70000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.830322013.0000000006EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.824841723.0000000006010000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843885287.0000000006430000.00000002.00000001.sdmp
Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 4x nop then mov esp, ebp 11_2_02F18810

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: sylviaoslh01.ddns.net
Source: Malware configuration extractor URLs: 194.5.98.31
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 194.5.98.31 ports 2,3,4,5,9,52943
Uses dynamic DNS services
Source: unknown DNS query: name: sylviaoslh01.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49742 -> 194.5.98.31:52943
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DANILENKODE DANILENKODE
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C2F5A WSARecv, 11_2_052C2F5A
Source: unknown DNS traffic detected: queries for: sylviaoslh01.ddns.net
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: SwiftCopy.pdf.exe, 00000000.00000003.644038179.000000000548D000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000000.00000003.644225835.0000000005499000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com6
Source: SwiftCopy.pdf.exe, 00000000.00000003.644225835.0000000005499000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comI
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comP
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coming
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SwiftCopy.pdf.exe, 00000000.00000003.644451230.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comr
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comses
Source: SwiftCopy.pdf.exe, 00000000.00000003.644496357.0000000005496000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comv
Source: SwiftCopy.pdf.exe, 00000000.00000003.645966627.0000000005482000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SwiftCopy.pdf.exe, 00000000.00000003.645966627.0000000005482000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000000.00000003.645961936.000000000160B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SwiftCopy.pdf.exe, 00000000.00000003.726780421.0000000005480000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF
Source: SwiftCopy.pdf.exe, 00000000.00000003.645966627.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comef
Source: SwiftCopy.pdf.exe, 00000000.00000003.726780421.0000000005480000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: SwiftCopy.pdf.exe, 00000000.00000003.645994299.0000000005482000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comq
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: SwiftCopy.pdf.exe, 00000000.00000003.643130611.0000000005496000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SwiftCopy.pdf.exe, 00000000.00000003.643149912.000000000160B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnn
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SwiftCopy.pdf.exe, 00000000.00000003.644645566.0000000005485000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: SwiftCopy.pdf.exe, 00000000.00000003.644645566.0000000005485000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: SwiftCopy.pdf.exe, 00000000.00000003.645072500.0000000005497000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: SwiftCopy.pdf.exe, 00000000.00000003.644842820.0000000005487000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: SwiftCopy.pdf.exe, 00000000.00000003.644842820.0000000005487000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: SwiftCopy.pdf.exe, 00000000.00000003.644842820.0000000005487000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0h
Source: SwiftCopy.pdf.exe, 00000000.00000003.645334951.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SwiftCopy.pdf.exe, 00000000.00000003.645072500.0000000005497000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: SwiftCopy.pdf.exe, 00000000.00000003.644842820.0000000005487000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/L
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: SwiftCopy.pdf.exe, 00000000.00000003.644645566.0000000005485000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s9
Source: SwiftCopy.pdf.exe, 00000000.00000003.645291588.000000000548C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SwiftCopy.pdf.exe, 00000000.00000002.742185961.00000000055F0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.827664643.00000000059C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.823119054.0000000004F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843141069.0000000005430000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: SwiftCopy.pdf.exe, 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911022966.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.912587333.0000000005D60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.911932177.00000000054D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.5d60000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.2f53ac8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.2f58b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.dhcpmon.exe.2f53ac8.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.32d6488.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.54d0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.SwiftCopy.pdf.exe.33b89b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.dhcpmon.exe.3f7ed1e.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large strings
Source: SwiftCopy.pdf.exe, LoginForm.cs Long String: Length: 11840
Source: xetNJdChYOitP.exe.0.dr, LoginForm.cs Long String: Length: 11840
Source: 0.2.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs Long String: Length: 11840
Source: 0.0.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs Long String: Length: 11840
Source: 10.2.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs Long String: Length: 11840
Source: 10.0.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs Long String: Length: 11840
Source: dhcpmon.exe.11.dr, LoginForm.cs Long String: Length: 11840
Source: 11.2.SwiftCopy.pdf.exe.9d0000.1.unpack, LoginForm.cs Long String: Length: 11840
Source: 11.0.SwiftCopy.pdf.exe.9d0000.4.unpack, LoginForm.cs Long String: Length: 11840
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SwiftCopy.pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_02D4213A NtQuerySystemInformation, 0_2_02D4213A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_02D42100 NtQuerySystemInformation, 0_2_02D42100
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C178E NtQuerySystemInformation, 11_2_052C178E
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C1753 NtQuerySystemInformation, 11_2_052C1753
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_08211DD2 NtQuerySystemInformation, 19_2_08211DD2
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_08211D98 NtQuerySystemInformation, 19_2_08211D98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_05391DD2 NtQuerySystemInformation, 21_2_05391DD2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_05391D98 NtQuerySystemInformation, 21_2_05391D98
Detected potential crypto function
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A2D78 0_2_015A2D78
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AB978 0_2_015AB978
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD91D 0_2_015AD91D
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8598 0_2_015A8598
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ABD88 0_2_015ABD88
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A5478 0_2_015A5478
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A3400 0_2_015A3400
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A9020 0_2_015A9020
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD4C0 0_2_015AD4C0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A3898 0_2_015A3898
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A4B50 0_2_015A4B50
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A4380 0_2_015A4380
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A6258 0_2_015A6258
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AF258 0_2_015AF258
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A0E68 0_2_015A0E68
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A1E38 0_2_015A1E38
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A6142 0_2_015A6142
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A6179 0_2_015A6179
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ABD77 0_2_015ABD77
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A2D68 0_2_015A2D68
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AB968 0_2_015AB968
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A9D08 0_2_015A9D08
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ABD38 0_2_015ABD38
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA9D8 0_2_015AA9D8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A79F8 0_2_015A79F8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD1F1 0_2_015AD1F1
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8190 0_2_015A8190
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8588 0_2_015A8588
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA989 0_2_015AA989
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8180 0_2_015A8180
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA1B0 0_2_015AA1B0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA1A0 0_2_015AA1A0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A546A 0_2_015A546A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA438 0_2_015AA438
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AA428 0_2_015AA428
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A94F8 0_2_015A94F8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A9CF8 0_2_015A9CF8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A94E8 0_2_015A94E8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A388A 0_2_015A388A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD4B0 0_2_015AD4B0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AF354 0_2_015AF354
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ACB4F 0_2_015ACB4F
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AC340 0_2_015AC340
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A4B40 0_2_015A4B40
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A4312 0_2_015A4312
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD738 0_2_015AD738
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AC330 0_2_015AC330
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD728 0_2_015AD728
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A83C8 0_2_015A83C8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A7F98 0_2_015A7F98
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8F88 0_2_015A8F88
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A7F88 0_2_015A7F88
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A83B8 0_2_015A83B8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A6FB0 0_2_015A6FB0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A6FA2 0_2_015A6FA2
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A0E58 0_2_015A0E58
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A7A08 0_2_015A7A08
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AD200 0_2_015AD200
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A1E27 0_2_015A1E27
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A42E0 0_2_015A42E0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ACA98 0_2_015ACA98
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ACA90 0_2_015ACA90
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015ACAA0 0_2_015ACAA0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F123A0 11_2_02F123A0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F12FA8 11_2_02F12FA8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F1B7AD 11_2_02F1B7AD
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F13850 11_2_02F13850
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F18D68 11_2_02F18D68
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F19968 11_2_02F19968
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F19A2F 11_2_02F19A2F
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F1A210 11_2_02F1A210
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_02F1306F 11_2_02F1306F
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03154B40 19_2_03154B40
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03154380 19_2_03154380
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031533F0 19_2_031533F0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03151E38 19_2_03151E38
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03150E58 19_2_03150E58
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03156258 19_2_03156258
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315BD08 19_2_0315BD08
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315B978 19_2_0315B978
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03152D78 19_2_03152D78
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03158588 19_2_03158588
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315C9D0 19_2_0315C9D0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315D430 19_2_0315D430
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03159020 19_2_03159020
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315546A 19_2_0315546A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315D89D 19_2_0315D89D
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315388A 19_2_0315388A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03157F98 19_2_03157F98
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03157F89 19_2_03157F89
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03158F88 19_2_03158F88
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03156FB0 19_2_03156FB0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031583B8 19_2_031583B8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03156FA2 19_2_03156FA2
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031583C8 19_2_031583C8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315CA10 19_2_0315CA10
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03157A08 19_2_03157A08
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03151E27 19_2_03151E27
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315C2B0 19_2_0315C2B0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315D6B8 19_2_0315D6B8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315D6A9 19_2_0315D6A9
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315C2C0 19_2_0315C2C0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315CACF 19_2_0315CACF
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031542E0 19_2_031542E0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315D120 19_2_0315D120
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03156147 19_2_03156147
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03156179 19_2_03156179
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03152D69 19_2_03152D69
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315B968 19_2_0315B968
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03158190 19_2_03158190
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03158180 19_2_03158180
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315A989 19_2_0315A989
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315A1A0 19_2_0315A1A0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315A9D8 19_2_0315A9D8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031579F8 19_2_031579F8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315A438 19_2_0315A438
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_031594F8 19_2_031594F8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03159CF8 19_2_03159CF8
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315BCFA 19_2_0315BCFA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA3896 20_2_04BA3896
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA1E38 20_2_04BA1E38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA9020 20_2_04BA9020
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA5476 20_2_04BA5476
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA0E58 20_2_04BA0E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA6258 20_2_04BA6258
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA8588 20_2_04BA8588
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA4380 20_2_04BA4380
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA33F0 20_2_04BA33F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA2D78 20_2_04BA2D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAB978 20_2_04BAB978
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA4B40 20_2_04BA4B40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA9CF8 20_2_04BA9CF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA94E8 20_2_04BA94E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA42E0 20_2_04BA42E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA52D0 20_2_04BA52D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAA438 20_2_04BAA438
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAA428 20_2_04BAA428
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA7A08 20_2_04BA7A08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA6FB0 20_2_04BA6FB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA6FA8 20_2_04BA6FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAA1A0 20_2_04BAA1A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA7F98 20_2_04BA7F98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA8190 20_2_04BA8190
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA8F8B 20_2_04BA8F8B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA7F89 20_2_04BA7F89
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA8180 20_2_04BA8180
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA79F8 20_2_04BA79F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAA9D8 20_2_04BAA9D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA83C8 20_2_04BA83C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAA9C0 20_2_04BAA9C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA83C1 20_2_04BA83C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA6179 20_2_04BA6179
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAB973 20_2_04BAB973
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA2D69 20_2_04BA2D69
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA6143 20_2_04BA6143
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4D89D 21_2_04F4D89D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4388A 21_2_04F4388A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4546A 21_2_04F4546A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4D430 21_2_04F4D430
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F49020 21_2_04F49020
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F48588 21_2_04F48588
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4B978 21_2_04F4B978
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F42D78 21_2_04F42D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4BD08 21_2_04F4BD08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F40E58 21_2_04F40E58
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F46258 21_2_04F46258
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F41E38 21_2_04F41E38
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F433F0 21_2_04F433F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F44380 21_2_04F44380
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F44B40 21_2_04F44B40
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F494F8 21_2_04F494F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F49CF8 21_2_04F49CF8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4BCFA 21_2_04F4BCFA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F494E8 21_2_04F494E8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4A438 21_2_04F4A438
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4A428 21_2_04F4A428
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F479F8 21_2_04F479F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4A9D8 21_2_04F4A9D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4A1A0 21_2_04F4A1A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F48190 21_2_04F48190
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F48180 21_2_04F48180
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4A989 21_2_04F4A989
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4D170 21_2_04F4D170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F46179 21_2_04F46179
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F42D68 21_2_04F42D68
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4B968 21_2_04F4B968
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F46143 21_2_04F46143
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F442E0 21_2_04F442E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4C2C0 21_2_04F4C2C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4CACF 21_2_04F4CACF
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4C2B0 21_2_04F4C2B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4D6B8 21_2_04F4D6B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4D6A9 21_2_04F4D6A9
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F41E27 21_2_04F41E27
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4CA10 21_2_04F4CA10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F47A08 21_2_04F47A08
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F483C8 21_2_04F483C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F46FB0 21_2_04F46FB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F483B8 21_2_04F483B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F46FA2 21_2_04F46FA2
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F47F98 21_2_04F47F98
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F48F8C 21_2_04F48F8C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F47F88 21_2_04F47F88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4CB23 21_2_04F4CB23
Sample file is different than original file name gathered from version info
Source: SwiftCopy.pdf.exe, 00000000.00000002.743422851.0000000006CD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.727647632.00000000009EE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.730420038.0000000002D50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.745519092.0000000008C40000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.743183682.0000000006AF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.743563612.0000000006FC0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000000.00000002.743563612.0000000006FC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000A.00000002.724885838.000000000028E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913111276.0000000006250000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.912263148.0000000005A70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913493984.00000000067B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000000.726164379.0000000000A5E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910136702.0000000002F60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000000B.00000002.909589663.0000000001269000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.830985145.0000000008750000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.830322013.0000000006EE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.824821231.00000000036D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.824821231.00000000036D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWindowsNetwork.dll> vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.821492248.0000000000E5E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.830433282.0000000006FA0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 00000013.00000002.830433282.0000000006FA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.835389817.0000000000DBE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.837835685.00000000056D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.835797951.000000000149A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoProtectClient.dllT vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs SwiftCopy.pdf.exe
Source: SwiftCopy.pdf.exe Binary or memory string: OriginalFilenamehcUgzA.exe: vs SwiftCopy.pdf.exe
Uses 32bit PE files
Source: SwiftCopy.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.912587333.0000000005D60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.912587333.0000000005D60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.911932177.00000000054D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.911932177.00000000054D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.5d60000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.5d60000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.2f53ac8.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.2f53ac8.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.2f58b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.2f58b54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.dhcpmon.exe.2f53ac8.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.2f53ac8.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.32d6488.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.32d6488.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.54d0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.54d0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.SwiftCopy.pdf.exe.33b89b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.33b89b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.dhcpmon.exe.3f7ed1e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.3f7ed1e.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.33b3924.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.SwiftCopy.pdf.exe.32d160c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: SwiftCopy.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: xetNJdChYOitP.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SwiftCopy.pdf.exe, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: xetNJdChYOitP.exe.0.dr, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@27/13@13/2
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_02D41D16 AdjustTokenPrivileges, 0_2_02D41D16
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_02D41CDF AdjustTokenPrivileges, 0_2_02D41CDF
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C154E AdjustTokenPrivileges, 11_2_052C154E
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C1517 AdjustTokenPrivileges, 11_2_052C1517
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_08211D02 AdjustTokenPrivileges, 19_2_08211D02
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_08211CCB AdjustTokenPrivileges, 19_2_08211CCB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_05391D02 AdjustTokenPrivileges, 21_2_05391D02
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_05391CCB AdjustTokenPrivileges, 21_2_05391CCB
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File created: C:\Users\user\AppData\Roaming\xetNJdChYOitP.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{7b42330a-496b-48fe-8a1c-b48f92653e95}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Mutant created: \Sessions\1\BaseNamedObjects\hReiWqLZtvWC
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmpF25B.tmp Jump to behavior
Source: SwiftCopy.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SwiftCopy.pdf.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File read: C:\Users\user\Desktop\SwiftCopy.pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe 'C:\Users\user\Desktop\SwiftCopy.pdf.exe'
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpF25B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path}
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path}
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE76.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE388.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe C:\Users\user\Desktop\SwiftCopy.pdf.exe 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmp994A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC24.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpF25B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE76.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE388.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmp994A.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC24.tmp' Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: SwiftCopy.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: SwiftCopy.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: SwiftCopy.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: indows\System.pdbpdbtem.pdbon source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: indows\symbols\dll\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\hcUgzA.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: System.pdbM source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbILE source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: 1koC:\Windows\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.pdb& source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, dhcpmon.exe, 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp
Source: Binary string: System.pdb H source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: indows\hcUgzA.pdbpdbgzA.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: .pdbSystem source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\BtHJZpKYpK\src\obj\Debug\hcUgzA.pdb source: SwiftCopy.pdf.exe
Source: Binary string: C:\Windows\System.pdb++wE source: SwiftCopy.pdf.exe, 0000000B.00000002.910162753.0000000002F75000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: SwiftCopy.pdf.exe, 00000000.00000002.743183682.0000000006AF0000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 0000000B.00000002.912263148.0000000005A70000.00000002.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.830322013.0000000006EE0000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.824841723.0000000006010000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.843885287.0000000006430000.00000002.00000001.sdmp
Source: Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: SwiftCopy.pdf.exe, 0000000B.00000002.913409176.000000000666C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: SwiftCopy.pdf.exe, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: xetNJdChYOitP.exe.0.dr, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 10.2.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: dhcpmon.exe.11.dr, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 11.2.SwiftCopy.pdf.exe.9d0000.1.unpack, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 11.0.SwiftCopy.pdf.exe.9d0000.4.unpack, LoginForm.cs .Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
.NET source code contains potential unpacker
Source: SwiftCopy.pdf.exe, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: xetNJdChYOitP.exe.0.dr, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.SwiftCopy.pdf.exe.960000.0.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.SwiftCopy.pdf.exe.200000.0.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.11.dr, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.SwiftCopy.pdf.exe.9d0000.1.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.SwiftCopy.pdf.exe.9d0000.4.unpack, LoginForm.cs .Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A8872 push cs; retf 0_2_015A8873
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015A882D push ebx; retf 0_2_015A882E
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 0_2_015AE497 push ebp; retf 0_2_015AE499
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_01169E24 pushfd ; retf 11_2_01169E25
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_01167698 push es; ret 11_2_011676A0
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_011674B8 push ebp; ret 11_2_011674B9
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_011674AC push ecx; ret 11_2_011674AD
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_01169DEC pushfd ; retf 11_2_01169DED
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315E417 push ebp; retf 19_2_0315E419
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_0315882D push ebx; retf 19_2_0315882E
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 19_2_03158872 push cs; retf 19_2_03158873
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA882D push ebx; retf 20_2_04BA882E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BA8872 push cs; retf 20_2_04BA8873
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 20_2_04BAB25D push ebp; iretd 20_2_04BAB26A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F48872 push cs; retf 21_2_04F48873
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4882D push ebx; retf 21_2_04F4882E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 21_2_04F4E417 push ebp; retf 21_2_04F4E419
Source: initial sample Static PE information: section name: .text entropy: 7.53870171772
Source: initial sample Static PE information: section name: .text entropy: 7.53870171772
Source: initial sample Static PE information: section name: .text entropy: 7.53870171772
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File created: C:\Users\user\AppData\Roaming\xetNJdChYOitP.exe Jump to dropped file
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpF25B.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (29).png
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe File opened: C:\Users\user\Desktop\SwiftCopy.pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: SwiftCopy.pdf.exe
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 7040, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5848, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 6152, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SwiftCopy.pdf.exe, 00000000.00000002.731903892.0000000003200000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.824701204.0000000003670000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.819289713.0000000002A60000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SwiftCopy.pdf.exe, 00000000.00000002.731903892.0000000003200000.00000004.00000001.sdmp, SwiftCopy.pdf.exe, 00000013.00000002.824701204.0000000003670000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.819289713.0000000002A60000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Window / User API: foregroundWindowGot 586 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 6892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 4608 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 4608 Thread sleep count: 182 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 4608 Thread sleep count: 206 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 4608 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 6920 Thread sleep time: -380000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 6924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe TID: 2092 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6456 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C1276 GetSystemInfo, 11_2_052C1276
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913493984.00000000067B0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: vmware
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913493984.00000000067B0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913493984.00000000067B0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000015.00000002.840138693.0000000002D80000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: SwiftCopy.pdf.exe, 0000000B.00000003.869986141.00000000012E3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SwiftCopy.pdf.exe, 0000000B.00000002.913493984.00000000067B0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Memory written: C:\Users\user\Desktop\SwiftCopy.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Memory written: C:\Users\user\Desktop\SwiftCopy.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpF25B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDE76.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE388.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmp994A.tmp' Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Process created: C:\Users\user\Desktop\SwiftCopy.pdf.exe {path} Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xetNJdChYOitP' /XML 'C:\Users\user\AppData\Local\Temp\tmpBC24.tmp' Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path} Jump to behavior
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910675975.000000000338E000.00000004.00000001.sdmp Binary or memory string: Program Manager(
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910867572.000000000353C000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: SwiftCopy.pdf.exe, 0000000B.00000002.909891247.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SwiftCopy.pdf.exe, 0000000B.00000002.909891247.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: SwiftCopy.pdf.exe, 0000000B.00000003.869986141.00000000012E3000.00000004.00000001.sdmp Binary or memory string: Program Managerl
Source: SwiftCopy.pdf.exe, 0000000B.00000003.856666930.000000000131D000.00000004.00000001.sdmp Binary or memory string: Program Managerz4 I
Source: SwiftCopy.pdf.exe, 0000000B.00000002.909891247.00000000018B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: SwiftCopy.pdf.exe, 0000000B.00000002.909678566.00000000012E3000.00000004.00000020.sdmp Binary or memory string: Program ManagerlnA
Source: SwiftCopy.pdf.exe, 0000000B.00000003.869986141.00000000012E3000.00000004.00000001.sdmp Binary or memory string: Program Managerz

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_0115AF9A GetUserNameW, 11_2_0115AF9A
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911022966.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: SwiftCopy.pdf.exe, 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: SwiftCopy.pdf.exe, 0000000B.00000002.910531601.00000000032C1000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: SwiftCopy.pdf.exe, 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: SwiftCopy.pdf.exe, 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: dhcpmon.exe, 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Yara detected Nanocore RAT
Source: Yara match File source: 00000020.00000000.836222469.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.819759981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.835267863.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000000.820327781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726462560.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.820471977.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.741715588.00000000045C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857250258.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.912619347.0000000005D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.841434727.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.852127142.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.835581816.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.734043460.00000000041D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.908625280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.826910629.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836835816.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.836971548.0000000004391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911022966.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.726040524.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.857349420.0000000003F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 2848, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6476, type: MEMORY
Source: Yara match File source: Process Memory Space: SwiftCopy.pdf.exe PID: 6872, type: MEMORY
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SwiftCopy.pdf.exe.4746d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4319591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.4332580.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f7ed1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.431dbba.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e3b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f89591.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.SwiftCopy.pdf.exe.5d74629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SwiftCopy.pdf.exe.42d6d68.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.dhcpmon.exe.3f83b5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.SwiftCopy.pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43e9591.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.SwiftCopy.pdf.exe.43ded1e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.dhcpmon.exe.3e56d68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.dhcpmon.exe.3b36d68.2.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C2A9E bind, 11_2_052C2A9E
Source: C:\Users\user\Desktop\SwiftCopy.pdf.exe Code function: 11_2_052C2A4C bind, 11_2_052C2A4C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432424 Sample: SwiftCopy.pdf.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 62 sylviaoslh01.ddns.net 2->62 68 Multi AV Scanner detection for domain / URL 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 19 other signatures 2->74 9 SwiftCopy.pdf.exe 6 2->9         started        13 dhcpmon.exe 4 2->13         started        15 SwiftCopy.pdf.exe 4 2->15         started        17 dhcpmon.exe 3 2->17         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\xetNJdChYOitP.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\...\tmpF25B.tmp, XML 9->58 dropped 60 C:\Users\user\...\SwiftCopy.pdf.exe.log, ASCII 9->60 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 9->78 80 Injects a PE file into a foreign processes 9->80 19 SwiftCopy.pdf.exe 1 15 9->19         started        24 schtasks.exe 1 9->24         started        26 SwiftCopy.pdf.exe 9->26         started        28 schtasks.exe 13->28         started        30 dhcpmon.exe 13->30         started        32 schtasks.exe 15->32         started        34 SwiftCopy.pdf.exe 15->34         started        signatures6 process7 dnsIp8 64 sylviaoslh01.ddns.net 194.5.98.31, 49742, 49750, 49753 DANILENKODE Netherlands 19->64 66 192.168.2.1 unknown unknown 19->66 50 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->52 dropped 54 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->54 dropped 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->76 36 schtasks.exe 1 19->36         started        38 schtasks.exe 1 19->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        44 conhost.exe 32->44         started        file9 signatures10 process11 process12 46 conhost.exe 36->46         started        48 conhost.exe 38->48         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.31
 sylviaoslh01.ddns.net Netherlands
208476 DANILENKODE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
sylviaoslh01.ddns.net 194.5.98.31 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
194.5.98.31 true
  • Avira URL Cloud: safe
 unknown
sylviaoslh01.ddns.net true
  • Avira URL Cloud: safe
 unknown