Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Swift Copy.exe

Overview

General Information

Sample Name:Swift Copy.exe
Analysis ID:458930
MD5:2d6c5824ba1d09d610cf914f003c7276
SHA1:3c3155f0f1dd4aa1a6848892cc75399da642662a
SHA256:fa8025405c4c0290b63c2bbdf413edf496b729abe7bc791eb125f2c21895c842
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Swift Copy.exe (PID: 6596 cmdline: 'C:\Users\user\Desktop\Swift Copy.exe' MD5: 2D6C5824BA1D09D610CF914F003C7276)
    • RegSvcs.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6668 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 6900 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sales@radheatwaters.com", "Password": "waters@789", "Host": "uscentral50.myserverhosts.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: RegSvcs.exe PID: 7108JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process Start Without DLLShow sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift Copy.exe, ParentProcessId: 6596, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7108
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift Copy.exe, ParentProcessId: 6596, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7108

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 5.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@radheatwaters.com", "Password": "waters@789", "Host": "uscentral50.myserverhosts.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Swift Copy.exeVirustotal: Detection: 63%Perma Link
                Source: Swift Copy.exeMetadefender: Detection: 45%Perma Link
                Source: Swift Copy.exeReversingLabs: Detection: 81%
                Machine Learning detection for sampleShow sources
                Source: Swift Copy.exeJoe Sandbox ML: detected
                Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Swift Copy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Swift Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.879911787.000000000616C000.00000004.00000001.sdmp, NXLun.exe, 0000000C.00000000.751818499.0000000000322000.00000002.00020000.sdmp, NXLun.exe, 0000000E.00000000.769239763.00000000006A2000.00000002.00020000.sdmp, NXLun.exe.5.dr
                Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000E.00000002.771944861.0000000004E90000.00000002.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr
                Source: global trafficTCP traffic: 192.168.2.4:49763 -> 174.136.12.72:587
                Source: Joe Sandbox ViewIP Address: 174.136.12.72 174.136.12.72
                Source: global trafficTCP traffic: 192.168.2.4:49763 -> 174.136.12.72:587
                Source: unknownDNS traffic detected: queries for: uscentral50.myserverhosts.com
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: RegSvcs.exe, 00000005.00000002.915430072.0000000006150000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMOD
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: Swift Copy.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gifiThis
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: http://knrDOu.com
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0K
                Source: RegSvcs.exe, 00000005.00000002.914343205.00000000033A1000.00000004.00000001.sdmpString found in binary or memory: http://uscentral50.myserverhosts.com
                Source: Swift Copy.exe, 00000000.00000003.651279811.0000000005F1D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Swift Copy.exe, 00000000.00000003.650768353.0000000005EE8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Swift Copy.exe, 00000000.00000003.646781257.0000000005EFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Swift Copy.exe, 00000000.00000003.648730703.0000000005EE7000.00000004.00000001.sdmp, Swift Copy.exe, 00000000.00000003.648289536.0000000005EEE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Swift Copy.exe, 00000000.00000003.649167632.0000000005EE6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: Swift Copy.exe, 00000000.00000003.648981932.0000000005EE8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/)
                Source: Swift Copy.exe, 00000000.00000003.649325158.0000000005EE6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn_
                Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeb
                Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comr
                Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: https://ieCyjsGVULsHnV35yt1w.com
                Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: Swift Copy.exeString found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f
                Source: RegSvcs.exe, 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Spam, unwanted Advertisements and Ransom Demands:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EBE0887u002d52DAu002d4DF7u002dAB51u002d183BD1532218u007d/u0038B181F2Au002d08E3u002d4851u002d889Cu002dF1A7A4D42382.csLarge array initialization: .cctor: array initializer size 11961
                .NET source code contains very large stringsShow sources
                Source: Swift Copy.exe, DNivaRVr0UVDkJ7TUW/Y7YycAhjkVqtbt4cEc.csLong String: Length: 10292
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A2D50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010ADC00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A2768
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010AAB78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A1FF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010B2210
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010B0290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010B64C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010B4788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010B7680
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010BCD08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013E47A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013E4761
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013E4781
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013ED660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B9650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062BB190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B5DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B6E58
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                Source: Swift Copy.exe, 00000000.00000000.644424930.0000000000BA8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsIdenti.exe2 vs Swift Copy.exe
                Source: Swift Copy.exeBinary or memory string: OriginalFilenameWindowsIdenti.exe2 vs Swift Copy.exe
                Source: Swift Copy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: Swift Copy.exe, u69hr273pZXtuR9Feq/K0AK1lI66eynLEt88F.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
                Source: Swift Copy.exe, DNivaRVr0UVDkJ7TUW/Y7YycAhjkVqtbt4cEc.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
                Source: Swift Copy.exe, weF2A7U7OjcBrViLe7y/pKFkmJUICeFfreuPuaf.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                Source: Swift Copy.exe, NEsOa2UcjD4a8hb5TL8/WpgubaUXgjHEGEaSAIu.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAsAAAAUCAYAAABbLMdoAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
                Source: Swift Copy.exe, TQ2yMJporpZ352ULxY/lDOo95k329E5qDgoSK.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg==', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC'
                Source: Swift Copy.exe, 00000000.00000003.652267133.0000000005F15000.00000004.00000001.sdmpBinary or memory string: The Monotype Corporation plc. 1992. All rights reserved.slntb
                Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                Source: C:\Users\user\Desktop\Swift Copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_01
                Source: C:\Users\user\Desktop\Swift Copy.exeMutant created: \Sessions\1\BaseNamedObjects\RfWIwxmLbn
                Source: Swift Copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Swift Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Swift Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Swift Copy.exeVirustotal: Detection: 63%
                Source: Swift Copy.exeMetadefender: Detection: 45%
                Source: Swift Copy.exeReversingLabs: Detection: 81%
                Source: unknownProcess created: C:\Users\user\Desktop\Swift Copy.exe 'C:\Users\user\Desktop\Swift Copy.exe'
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Swift Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Swift Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Swift Copy.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Swift Copy.exeStatic file information: File size 1136128 > 1048576
                Source: Swift Copy.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x114c00
                Source: Swift Copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.879911787.000000000616C000.00000004.00000001.sdmp, NXLun.exe, 0000000C.00000000.751818499.0000000000322000.00000002.00020000.sdmp, NXLun.exe, 0000000E.00000000.769239763.00000000006A2000.00000002.00020000.sdmp, NXLun.exe.5.dr
                Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000E.00000002.771944861.0000000004E90000.00000002.00000001.sdmp
                Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A7E3F push edi; retn 0000h
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B474B push 8BFFFFFFh; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B2AF5 push cs; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_062B2B34 push cs; retf
                Source: initial sampleStatic PE information: section name: .text entropy: 6.90263160898
                Source: Swift Copy.exe, u69hr273pZXtuR9Feq/K0AK1lI66eynLEt88F.csHigh entropy of concatenated method names: 'jpX0n4rDQt', 'TGY0l3xAZf', 'WRR0aCxiyU', 'tCm0v39iYl', 'GNM0uCxpD5', 'L1308UU97A', 'HYZ0bbheqw', 'T0j0NVEe6m', 'guI0G2o8Dq', 'IbI0SPRq6n'
                Source: Swift Copy.exe, udGQngUsh86kB5eKspM/DC7U5qUmoa89IHdxkpw.csHigh entropy of concatenated method names: '.ctor', 'Dl4JD8PYxj', 'rQ8J6KbYpL', 'PElJhs2dMP', 'bnLJOte3Cx', 'ThOJgnuMDe', 'OvGJAikVIc', 'QKeJcCoNwL', 'HbWJRPiPJa', 'RiKJmPTdyQ'
                Source: Swift Copy.exe, zP3WyVruDuHmDL2vrX/AFm0whgm8FNTDmWuOM.csHigh entropy of concatenated method names: 'I4rGK7dLx', 'QIcS8r1PI', 'GO1TxE22g', 'aVIwjck3V', 'BFS5sZ0XK', 'TA4DgBjAx', 'NtHd6Nfkm', 'SM4h4Ksq0', '.ctor', 'CN78BywCL'
                Source: Swift Copy.exe, DNivaRVr0UVDkJ7TUW/Y7YycAhjkVqtbt4cEc.csHigh entropy of concatenated method names: 'bZhHK0UFeR', 'FlEH7G0hAy', 'yZ8HCtGsbU', 'yLsH18nM9H', 'teuHQrNfsV', 'XyjHZmGaEd', 'whPHn7sTRA', 'J6OHlslfov', 'vn5HpNhpu0', 'q9nHgCRxJl'
                Source: Swift Copy.exe, RPPXWjbXSPZoFndCkk/RT4PhGFNmwZTuxyVao.csHigh entropy of concatenated method names: 'zYm2oivllO', 'lmq2Q8YSTE', 'LcG2eqBWwZ', 'eIy2nrGD0a', 'Wy72VlRQve', 'THf2ai1OP3', 'EeV2PDKrYl', 'KBc2uK80KG', '.ctor', 'IMc2J8Tb9P'
                Source: Swift Copy.exe, HASONKauKeOQRuJl2M/kEasOledfbdAPjoNUk.csHigh entropy of concatenated method names: '.ctor', 'Bxt23wVWvI', 'Dispose', 'SHY2WwZymo', 'Tjp2LEaiRx', 'HZ42i6i8k3', 'uuJ2fIUjnv', 'Rd12qlPcJ2', 'qH5QKVNUt7', 'xsuQLQs46V'
                Source: Swift Copy.exe, UYPUoiKZOCoQBomcUb/qGEWOrZBSClZcGRHlM.csHigh entropy of concatenated method names: 'vjVfT3vD2W', 'MFjf5vI2ps', 'khKfDZNyfQ', 'Am0fdQNEpp', 'Am4fhmkTwl', 'Mn7fpdaFfl', 'wxxfg43Vhn', 'QjsfYM4BuR', 'hPyfc34S18', 'gO3fIoFlB8'
                Source: Swift Copy.exe, EQwwY2AvimKtOywqVpi/LsPBxfAtDO7kHoE3mUR.csHigh entropy of concatenated method names: '.ctor', 'adYDorNO8R', 'JQKDQVM1aH', 'nfmDeJ7NPI', 'SrgDn0Kp8P', 'CfHDVYFUxk', 'QD7DaUsh4B', 'wqvDPuHMhb', 'S1HDuuOHRW', 'cn9DJ1qwgi'
                Source: Swift Copy.exe, vDna4qA5JEueEyRAL7h/KjfkJkA8ARLaLhp6ok6.csHigh entropy of concatenated method names: '.ctor', 'MBf5c6mnUo', 'ygV5R2XXTK', 'NBg5mPtD63', 'LXN599JHfQ', 'NT95E3HydX', 'eqf5jOJiDx', 's3V5sY2FBa', 'fy05kpPgZm', 'Khg5U4dgBj'
                Source: Swift Copy.exe, vJpFliAA8IDyYvQtmLV/JN0smGAUVScJIyhVVHV.csHigh entropy of concatenated method names: 'HNe54skNwx', 'RGZ5TGSEOm', 'kP15xFVOe2', 'Ttc55ZFEpA', 'Hqc56ocRtW', 'MCd5dJvJXa', '.ctor', 'xyw5G8GjaL', 'KKe5S5NQgn', 'uA6J3BSn2KCbmqavN6Q'
                Source: Swift Copy.exe, RAXN0xUfYZwZ7DyJ9Yg/H0XKqLUJ0ejhbCq4clJ.csHigh entropy of concatenated method names: '.ctor', 'B8US93JxC5', 'tWiSX0enga', 'gXAM5XMWRl', 'qP3MDHdxbr', 'SosMd8V6HB', 'tSgMhgM1h8', 'E7PMptW9AL', 'PRIMgG1tD0', 'GMxMYUgvJj'
                Source: Swift Copy.exe, Di6POOUjorUo5tCAZPA/aqKBgwUCPpfUuXRINhG.csHigh entropy of concatenated method names: 'FCxubCMRbc', 'y1FuN6NPUF', '.ctor', 'lsfuaBBTUR', 'jIuuvehkV1', 'OnPaint', 'AwRuuAxy9O', 'rkau8VhF2u', 'OnMouseDown', 'OnMouseUp'
                Source: Swift Copy.exe, NUm4KkU6Wp8lbnadFZ2/mGLhrnUxIcSc4WwaWC7.csHigh entropy of concatenated method names: 'lbpufiVFoF', 'G1luqBM8pm', 'gZyuKQXqoA', 'v95u7x3rUQ', 'Y9Ou2NJGEn', 'UG2u0L8r32', '.ctor', 'OnPaint', 'OnHandleCreated', 'OnMouseDown'
                Source: Swift Copy.exe, rmTU1lWjSySwRM9qH6/f8Odf2B0J1XgEncaDl.csHigh entropy of concatenated method names: 't8vWT1DmA1', 'DcGWwpIpxw', '.ctor', 'fr0W53xZfn', 'nWfWDg6ieS', 'cAMWGyyDbS', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'VOkWSj0FdL'
                Source: Swift Copy.exe, KGUF17PI0dfkmqIk3W/zWHIeyoobjVLImo1Ag.csHigh entropy of concatenated method names: 'gxmWfVWSxw', 'msJWqS4tFT', 'nFbWCkji02', 'xacW1dmPHP', 'lHWWQ6cSjU', 'l7bWZo7w1G', 'fyAWnqmwhP', 'HlJWlW7wSj', 'w03W2fHZAI', 'VSVW0qyXK0'
                Source: Swift Copy.exe, tlkqsHUase1rBiyFrdo/SpWWPPUeSucFSLHimdB.csHigh entropy of concatenated method names: 'TeqPDfRobn', 'lJmP6AWMuk', 'YIVPllnpW1', 'RkYPVgxcLy', 'rxxPv9Z6iP', 'pP3PP4xIYv', 'ur4P8QAsQ1', 'A25PJk88CI', 'c4FPNwq0nM', 'Xm2PMjE0rt'
                Source: Swift Copy.exe, wjWbRqUV63LsJdrVMV5/ffrhwHUhevmCMeyOQKD.csHigh entropy of concatenated method names: 'Q22vd35afw', 'NUxvhwOS3O', 'XP0vp9txZZ', 'KmxvgwvBle', 'qgIvY6vONv', 'Phrvcihx55', 'UhwvI1A7fG', 'gvOvmbp4mH', 'WcyvXFyYss', 'n69vEdW0da'
                Source: Swift Copy.exe, gTveYoU3IAV6vXaSa3M/Fo4mprUnEFkJnjbuB8d.csHigh entropy of concatenated method names: 'qO9vKYgKcQ', 'lKhv7wsfrA', 'ziuaXJJhWf', 'rdHaE92Hbb', 'JhOaF5qrkU', 'E0pasEPyvl', 'pboarcnn74', 'A9qaUbZpp2', 'pubazIIfFW', 'P8tv3ERlB7'
                Source: Swift Copy.exe, MTQFC1R44DDq9k3hQh/qatmnn07bWO6OFdjqv.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'XAJ7mIKnW1', 't8R79jVfhO', 'you7EeQOwn', 'Q7E7jB6Fhq', 'BBR7s4QKwU', 'd8T7kpiPt9', 'pKB7UbCmZ8', 'hrK7tReDlk'
                Source: Swift Copy.exe, JIhqOCfe1MkuPSWLqK/A5D9eAJ5KdwyFDOZ4n.csHigh entropy of concatenated method names: '.ctor', 'eH3KM92cnf', 'pCBKG87o1Z', 'lm3KSAgBkb', 'pABK4r6Wt6', 'ytnK5mUpa5', 'R47KDE2aGM', 't8cKdhOLc0', 'ELoKhdycrV', 'QS6KpCJ413'
                Source: Swift Copy.exe, mIJoOPGn4lwWi9U6hu/V0IiomNbF9YkTdqhVb.csHigh entropy of concatenated method names: '.ctor', 'zdWKlnvkf4', 'gOMKVfi2LK', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'TdRKnc8ZFc', 'qbg4lpmgZGsvKyeDUhv', 'bQYZqcmmYvgkO91E82i'
                Source: Swift Copy.exe, otakxlAiRpgIjRlHsfX/mcJBnXAYNYfRhAWYisR.csHigh entropy of concatenated method names: 'piUXSHG72s', 'm0WX4KEd3r', 'hCLXhgf81K', 'ID8XOm2qYv', '.ctor', 'u8hXwCpUOa', 'K05XxXCH4b', 'OnPaint', 'PovXDI6MGG', 'JRFX6VEjLV'
                Source: Swift Copy.exe, TgrWSDAWph4YhHny7vh/gRUCpMAB22AYQoNN115.csHigh entropy of concatenated method names: 'En1XCouiHx', 'igjX1eLYhB', '.ctor', 'CP6XiHChiR', 'yPAXfsB7P3', 'NfMXquYqZq', 'LrIXHOS0Zx', 'aK6X2QJvur', 'WN6X0YyH52', 'rv2XyqfBrS'
                Source: Swift Copy.exe, vAY8AVAPnC7ulh2uEym/tofWcvAo8EDlCcIUjJL.csHigh entropy of concatenated method names: 'qBQ94hW0tF', 'PlB9TWTj8L', 'UZC9xv5QTy', 'tmC95iEQVr', 'iGO96UcnYI', 'VdY9dcDqtR', 'yja9O20oYM', 'tDU9p9oGCg', 'p1C9AQFGqc', 'Hdv9YUvGbJ'
                Source: Swift Copy.exe, EbmApPU1RRv6aa9g22d/ouKfH3U241h9SEmMlvV.csHigh entropy of concatenated method names: 'XHjJHRVwol', 'nShJ2Cf5rY', 'ymQJymkMb9', 'tRoJKEmMnq', 'fmkJBKuxAO', 'MmcJCHcVTi', 'oTpJWx4aWh', 'ut2JLcWHZ2', 'tY7JiMgDXk', 'KfLJfcUPXp'
                Source: Swift Copy.exe, weF2A7U7OjcBrViLe7y/pKFkmJUICeFfreuPuaf.csHigh entropy of concatenated method names: 'InC88HAFuv', 'ld08J1NUJh', 'X4o8NP4p5y', 'n758MSccQY', 'SVd8SgHmPR', 'SRd842tAb5', 'cHd8whYVU8', 'ePu8xaPwnB', 'KuE87pDMuX', 'upK8B5vStX'
                Source: Swift Copy.exe, NEsOa2UcjD4a8hb5TL8/WpgubaUXgjHEGEaSAIu.csHigh entropy of concatenated method names: 'COduEy95SD', 'fGfuj5DsdX', '.ctor', 'FybuhoCcry', 'uQouOEdxRl', 'vyIupGmXgU', 'OnMouseDown', 'OnMouseMove', 'OnPaint', 'KsuuggLFkD'
                Source: Swift Copy.exe, gRJNbTUlR6BtwIwPnfG/UCUklkUTje2oKlfgFeD.csHigh entropy of concatenated method names: '.ctor', 'pbCnUZZ7vy', 'y4Knt7LXUv', 'uQdl3fXgFd', 'Mp6lWFnmYQ', 'iuvliv4P63', 'wUslf6YQTH', 'dbUlHVbNdP', 'uxyl2PVHxf', 'xPplyh7r88'
                Source: Swift Copy.exe, OoSkybUiqO8jXxMGYuR/bRGpvnUYg2L8jJGALLq.csHigh entropy of concatenated method names: 'OnCreateControl', '.ctor', 'UHcQqms1YL', 'yeXQzjCy2a', 'WGPnLFWfVI', 'NHsnii5GU1', 'fEJnq0jALm', 'vCOnH4acrB', 'NJkn0ihXg0', 'LUFnyxrMmX'
                Source: Swift Copy.exe, fbnm6mUWSFwDCKTO4u7/bKec31UB2C3efvLVBOG.csHigh entropy of concatenated method names: 'rUke1O4XZB', 'oupeoXtYrN', 'VrkeZKn85b', 'RAnee05bGw', 'SZXelLGFuE', 'ip7eVSnNgO', 'lT8evoKD2F', 'rdQePmgsky', 'l1Fe8ypwvS', 'S9JeJEgBxw'
                Source: Swift Copy.exe, rq6uI6AS17Mo67ZJC5H/UkOlUqUzl0aH6ILePkD.csHigh entropy of concatenated method names: 'RyIxtdkg2Z', 'NiLxzxuBZ7', 'EtN5WHREHf', 'pxv5L20pKB', 'YvT5f7dGgM', 'con5quRJpZ', 'ytV52dqE94', 'lEa50dpKxW', 'S4r5KTRkWo', 'Qbo574y0Ab'
                Source: Swift Copy.exe, AlkvhjUpkZgYFcXxb3q/VxQKI8Uk7tygceBH1Xi.csHigh entropy of concatenated method names: '.ctor', 'KvHw8SoLP8', 'XVxwJ3GxOg', 'I3HwNGCWI7', 'bcbwMJPID1', 'VwjwS8EGpd', 'FZTw4Lv54A', 'sJcwwO6eCy', 'WilwxrPTS8', 'pguwDyqSEF'
                Source: Swift Copy.exe, Chfc27UMlSfGjGBJDHZ/uQrB7JUdfaVIKLrTX0w.csHigh entropy of concatenated method names: '.ctor', 'CGQa4Sc947', 'q8WaTc3iSt', 'WIRaepYGOL', 'aGPansl5dx', 'P1YaV9WO7p', 'GSNaaITh0Z', 'gSkaPJndgn', 'FRVauNW81f', 'ydiaJ7reUe'
                Source: Swift Copy.exe, N75no6UKtvELLpe3fb6/qboYZsUZ1HdtXnPXsqX.csHigh entropy of concatenated method names: '.ctor', 'aE6a0ni2a6', 'x3NayWDdao', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'WRTa2i2Qif', 'oiq6KhYnnRsZ2gu7NS5', 'Wq0q32YMDISrc0RULum'
                Source: Swift Copy.exe, ysZCxnULRX9gXwlbmmD/uf90XEU9xsk7IfIG35K.csHigh entropy of concatenated method names: 'L7mVY4LCBW', 'hfVVcUS7fv', 'sNBVFhWeTv', 'QAuVsqh4Sx', '.ctor', 'oEqVIlF1Qd', 'QdyVmne3ej', 'OnPaint', 'gTvVXxCdcZ', 'wZ8VEcwkF1'
                Source: Swift Copy.exe, D3volxArZRjwY7FWqEe/dZqTaPAgcOe3ushoRtY.csHigh entropy of concatenated method names: '.ctor', 'OnCreateControl', 'WpD69nnjyQ', 'cB46jDNykZ', 'o33m2gxPbx', 'mPjm0BJh2e', 'F3OcnSWEZi', 'RJ6clD4vkJ', 'get_Text', 'set_Text'
                Source: Swift Copy.exe, KLwiNvUDtTy3TdqB0wW/aIONVWUQYFVSOgEb6ZN.csHigh entropy of concatenated method names: 'a5koRU9oDc', 'dujoIGKOQf', 'UgAo9TxyRf', 'IV4oXqg4E5', 'FTLojtg41w', 'bVcoFFeY0G', 'VOuokfBPYE', 'arrorJdx14', '.ctor', 'uukocF3wNe'
                Source: Swift Copy.exe, dKgDPIUvxeWKatTDV3v/WCNiqLUtOwfh0qv400Z.csHigh entropy of concatenated method names: '.ctor', 'fJKoHntVKP', 'AcNo26XZm4', 'Uw2o0voUwS', 'e90oyfOEsT', 'Q35oKP0Lvm', 'aE1o7py3dJ', 'cZioQnK0No', 'OKKoZpFTRl', 'JRMonqcudy'
                Source: Swift Copy.exe, evtmmAU5NdIn3iLA3Eq/e1qCsuU89VZVqGciPsR.csHigh entropy of concatenated method names: '.ctor', 'QnI1H0a8gP', 'f8T122qWa4', 'T6a1yA0qRi', 'dow1Kcm1My', 'M7Y1B1fVeD', 'DrR1CUtVWB', 'AOu1opMhOp', 'jOe1QGctdK', 'zhl1eCwK0q'
                Source: Swift Copy.exe, T6UJjxUySltC1G6ZgsL/EfpYylUu08FxSHdJZ5a.csHigh entropy of concatenated method names: 'elnVCpi5ej', 'mjKV11qURd', 'BHUV7aAeTs', 'rIeVQsIgwm', 'dKuVZICRDv', 'hskVnv4rI0', 'Y9bVldjWeE', 'Sr4VakUfwV', 'a0LVvnbLsr', 'LX9VukGjbZ'
                Source: Swift Copy.exe, OT3VU3UHLRIWJTU5Dpv/QY2LKPU4O2bUvL6HBOU.csHigh entropy of concatenated method names: '.ctor', 'jsplEBxopv', 'hIklj6LdmX', 'mOXlsEu1Eq', 'a5clkCmNdm', 'dh8lUaC2Oy', 'nOdlt3eLg6', 'dPeV3phMga', 'oKlVWTg8wc', 'kkvViy6iv8'
                Source: Swift Copy.exe, pf5PMRUAgX4mI5ONXVW/KhLwtnUUDxRcFkUYFSt.csHigh entropy of concatenated method names: '.ctor', 'Ix7C7FWutx', 'hJXCCGnihR', 'lRiCoMJUyS', 'NEdCZOxF5S', 'O26Cn9B80k', 'mmUCV4KXlX', 'YTWCvldDP3', 'mRqCuwnCLv', 'NAkCJ8S0nI'
                Source: Swift Copy.exe, M3lqOFUSRDWN6nGucI1/YuQvMTz2jYFyx3pAx2.csHigh entropy of concatenated method names: '.ctor', 'CuCBcOPa3E', 'AYnBR7XCv5', 'nDPBmaQKRY', 'guNB9heie3', 'IcVBEJRYFy', 'soPBjNBv4Q', 'gVqBsV76WT', 'SCpBkcMN9K', 'BEIBUhAxJ4'
                Source: Swift Copy.exe, TQ2yMJporpZ352ULxY/lDOo95k329E5qDgoSK.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'B0yBGqHqNw', 'k8LBSM0CAV', 'sjpBTpPMaC', 'JFZBwS8jfN', 'cY0B5jOT5M', 'tOdBDtqykI', 'OnPaint', 'DcBBMu0JBE'
                Source: Swift Copy.exe, HkQwHZUP7e3Vc5TfgZY/VTybCxUoTbwLS07k3kc.csHigh entropy of concatenated method names: '.ctor', 'Np9ZhpNMK9', 'YTFZO8SKpb', 'HPSZgxoPoo', 'cCeZAZrUvq', 'iHjZcX55bS', 'i1eZR3c3DK', 'x5dZmgF1HU', 'tGEZ96YJAO', 'EP7ZEa0cJt'
                Source: Swift Copy.exe, wVvybdUrj28ducNr8S1/MEoOlxUg4myKw6ds2fj.csHigh entropy of concatenated method names: 'EO8ZKTX7yX', 'ay4Z7BT0td', 'JJnQV4M9Ff', 'iytQam48Sx', 'N8AQPoKvV5', 'XG5QusL2Xn', 'yNGQJd8Wf8', 'uU4Qbl2N91', 'xiNQMomMDL', 'vKAQGXVKOl'
                Source: Swift Copy.exe, Q3gGe3UqiTekmavi0lY/RWX4ucUwoO9qCiH9sH6.csHigh entropy of concatenated method names: '.ctor', 'hjJQywebZl', 'MMWQKmNKee', 'LgEQB96jPV', 'g0PQCG09Pq', 'ACGQLvmWKl', 'YWYQiX1NYV', 'EZ2QfOrQTn', 'djEQqmAjcP', 'tupQHffEop'
                Source: Swift Copy.exe, tam6V7Lhy4Z0ofSyX7/mKLTX19qUPX7SlYso2.csHigh entropy of concatenated method names: 'bslflYT1IL', 'B7KfV9wbPR', 'zQ9fvNEPc7', 'T0GfPqnt4y', '.ctor', 'PuKfnwexcG', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'jIlAXL2lXC0cqfwsvoE'
                Source: Swift Copy.exe, fivLcgyFqf9hXQSjj0/Hiy4fjurl0cAHEnpMi.csHigh entropy of concatenated method names: 'eKZiiKEMXQ', 'J7KifOEn3b', 'lDaiHkXojW', 'o79i2q3CrY', 'MZLiy33NPP', 'qusiKDMeTh', 'YMJiBmQmf0', 'i4FiCa67OJ', 'gkLiop3YWH', 'LBxiQW5SkP'
                Source: Swift Copy.exe, skTXTyHm8ihIt5WtsF/JdNPRf44V3v8CegjU5.csHigh entropy of concatenated method names: 'eeKLOeOPkG', 'gq1Lp3sXvd', 'Q6fLAbtG7t', 'BDXLYOHqt9', 'kmkLRjK765', 'FEwLIh2nNm', 'f09L9kObW6', 'ev4LX630jX', '.ctor', 'CGULjjOokl'
                Source: Swift Copy.exe, SJqYcUAqjnWuZ6YWGyN/rBKNr7Aw9KINObTIyYL.csHigh entropy of concatenated method names: '.ctor', 'N0g6AZEUVn', 'Pnc6Y64XIF', 'BU26RkI7Jl', 'shE6IMCG2S', 'znp692w60Q', 'a6L6XYtG1M', 't6o6jTu2u7', 'SvN6FKf738', 'rAh6kw9sRK'
                Source: Swift Copy.exe, C4ZfEtADxKsqS6IXogv/x3kxJeAQZvsjRqvLfNC.csHigh entropy of concatenated method names: '.ctor', 'PY863iEuMs', 'N176WieTEy', 'Nj86inegir', 'vL96fc7iPl', 'oc76HVgaYN', 'Gxr62AFpXt', 'Y1U6yYF1sd', 'Sbm6KBP18W', 'Jlm6BInyP6'
                Source: Swift Copy.exe, yTWO5iURLFWY7UqOFHX/cOh4huU07WZkE1d4srj.csHigh entropy of concatenated method names: '.ctor', 'hcD4zae8FB', 'm3RT3RDpH3', 'j9dTLBgVnT', 'IrATi3Tb9e', 'F4PTqSMgdV', 'EqWTHCdOIR', 'UYtT0b5q5O', 'fe0TyGYLeA', 'z3PT7YWbLY'
                Source: Swift Copy.exe, KnVd6fUbuwodMFRaHHS/Gcx3OwUF0R2emb9ZetK.csHigh entropy of concatenated method names: 'JCXP9UeAxb', 'I2VPXbEG0P', 'Ui5PENubUZ', 'CQ0Pju8h9T', 'dykPF48je9', 'zDHPsRoGkt', 'WpbPk7nFYb', 'pouPrCbbUE', 'vqYPUC48ZJ', 'YtQPtrN8IP'
                Source: Swift Copy.exe, Fn8MOU3BrSaa8efQS5/qg09hSnwJZ7qY5BR88.csHigh entropy of concatenated method names: '.ctor', 'rP3qnK21bk', 'awmql0Vx6n', 'VBTqaZhDxl', 'XSiqv3m7sL', 'SBuqupsD8u', 'bcbq8Gnx3H', 'dY4qbwnHpM', 'EISqN1IITX', 'cpgqGymEKY'
                Source: Swift Copy.exe, SiUKNCM5NZqaGjQRlI/HxOjPGdrV0MEgQtXvu.csHigh entropy of concatenated method names: '.ctor', 'eNeq2fgMus', 'lqVq0NcoF2', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'd1mqHA4jl9', 'Xfyi0dIOurXgaQN0hn3', 'b2LnBjIbuUnGEpJiqJm'
                Source: Swift Copy.exe, osT7UOOrO5tcJFRTYN/NC8sN5E7Ap5OCJ8JFQ.csHigh entropy of concatenated method names: 'j1BLK67qpb', 'poCL7YLp1B', 'crHLCGQO9G', 'dc3L1ytSuI', 's41LQmnm70', 'WJiLZRKUHG', 'npkLneaH1I', 'hahLlZZxAo', 'xMELunPVOZ', 'DDtL8TNdJo'
                Source: Swift Copy.exe, mkQoSulbpTxaW5naSF/lkwpelTs37Pog2eH8q.csHigh entropy of concatenated method names: 'ikZWk6gQwp', 'g31Wr2aBGq', 'NohWUViB6o', 'Yp3WtRR8La', 'o17WzUY6UX', 'bs2L3yOY4A', 'uCZLWJoKxi', 'WMQLLWsvjT', 'sbXLisVyTN', 'n4ZLfkCQwc'
                Source: Swift Copy.exe, hYq0NrcRh1cM4X362H/LwNs7RXK8p8j68CfhY.csHigh entropy of concatenated method names: '.ctor', 'AUm2mG6kBd', 'y0629SRt4g', 'NmA2E56MGL', 'pWW2jryV7L', 'iUa2sVkRLU', 'xs42ks14vC', 'IDJ2U6ZWYS', 'IeY2t3VUV7', 'y3603M9h9C'
                Source: Swift Copy.exe, umTneKjxGStD8wOk0Q/FTprwgCCZUJjgDGDK5.csHigh entropy of concatenated method names: '.ctor', 'A3oQHBQ89H', 'nktQQAxvIZ', 'ml02h3sfuv', 'npK2Oe850y', 'ySD2xlSI8C', 'jWg25rlqDV', 'rvZ2D5Cf6N', 'JFd26aAjBv', 'anp2dGHP4j'
                Source: Swift Copy.exe, nFaS9ZUOUkko4Uihqdb/eyjsuQUEgJjjUTtXwiC.csHigh entropy of concatenated method names: 'A3oQHBQ89H', 'nktQQAxvIZ', 'irmlxoel2q', 'YjHl5coDsy', '.ctor', 'VsIlJ3Cwj8', 'rgjlbeFiNX', 'KiClNXN9EP', 'c0ElMxjC8k', 'pMZlGf5d6j'
                Source: Swift Copy.exe, YPpwQOs8oqZnxBUM4D/namITcmWIYrqDfqwoT.csHigh entropy of concatenated method names: '.ctor', 'OnPaint', 'W7SKeebCap', 'cCj31NgxrRaKIE5l5w9', 'GRgbW0gsMxn7t5shu0s', 'p83iBngVrbKcjisBPYV', 'VVQG4JgzIM9yTBmc0Nj', 'HAvoWUmZBmqcF08VqSM'
                Source: Swift Copy.exe, I9hYEv1CxClA9fVwdq/oSL48t2YH2LJpnKHVj.csHigh entropy of concatenated method names: '.ctor', 'OnHandleCreated', 'OnPaint', 'OnMouseDown', 'OnMouseUp', 'OnMouseMove', 'LO0K7f8Deo', 'n3BstbgXZZ1cHFYeVCq', 'x5W1pigNxSe3Ht1kbar', 'IuGfScgj6x4F4YXKr9U'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 592
                Source: C:\Users\user\Desktop\Swift Copy.exe TID: 6600Thread sleep time: -43806s >= -30000s
                Source: C:\Users\user\Desktop\Swift Copy.exe TID: 6632Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 5540Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 43806
                Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                Source: RegSvcs.exe, 00000005.00000002.915314662.0000000006060000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RegSvcs.exe, 00000005.00000002.915314662.0000000006060000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RegSvcs.exe, 00000005.00000002.915314662.0000000006060000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegSvcs.exe, 00000005.00000002.915430072.0000000006150000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000005.00000002.915314662.0000000006060000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010AD1F0 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E6A008
                Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                Source: RegSvcs.exe, 00000005.00000002.913633999.00000000019B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: RegSvcs.exe, 00000005.00000002.913633999.00000000019B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegSvcs.exe, 00000005.00000002.913633999.00000000019B0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegSvcs.exe, 00000005.00000002.913633999.00000000019B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Users\user\Desktop\Swift Copy.exe VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\Desktop\Swift Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Lowering of HIPS / PFW / Operating System Security Settings:

                barindex
                Modifies the hosts fileShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7108, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7108, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7108, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection212File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery111SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Swift Copy.exe63%VirustotalBrowse
                Swift Copy.exe54%MetadefenderBrowse
                Swift Copy.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                Swift Copy.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.sajatypeworks.comr0%Avira URL Cloudsafe
                https://ieCyjsGVULsHnV35yt1w.com0%Avira URL Cloudsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://www.sajatypeworks.comt0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.founder.com.cn/cn_0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/)0%Avira URL Cloudsafe
                http://www.sajatypeworks.comeb0%Avira URL Cloudsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://knrDOu.com0%Avira URL Cloudsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.sajatypeworks.come0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://api.ipify.org%$0%Avira URL Cloudsafe
                https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                uscentral50.myserverhosts.com
                		174.136.12.72
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.founder.com.cn/cn/Swift Copy.exe, 00000000.00000003.649167632.0000000005EE6000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://DynDns.comDynDNSRegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnSwift Copy.exe, 00000000.00000003.648730703.0000000005EE7000.00000004.00000001.sdmp, Swift Copy.exe, 00000000.00000003.648289536.0000000005EEE000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comrSwift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ieCyjsGVULsHnV35yt1w.comRegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://sectigo.com/CPS0RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comtSwift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cn_Swift Copy.exe, 00000000.00000003.649325158.0000000005EE6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://uscentral50.myserverhosts.comRegSvcs.exe, 00000005.00000002.914343205.00000000033A1000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/)Swift Copy.exe, 00000000.00000003.648981932.0000000005EE8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comebSwift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		low
                    http://www.ascendercorp.com/typedesigners.htmlSwift Copy.exe, 00000000.00000003.651279811.0000000005F1D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comSwift Copy.exe, 00000000.00000003.646781257.0000000005EFB000.00000004.00000001.sdmpfalse
                      		high
                      http://i.imgur.com/blkrqBo.gifiThisSwift Copy.exefalse
                        		high
                        http://knrDOu.comRegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comSwift Copy.exe, 00000000.00000003.650768353.0000000005EE8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comeSwift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegSvcs.exe, 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%$RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072fSwift Copy.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        174.136.12.72
                        		uscentral50.myserverhosts.comUnited States
                        		62729ASMALLORANGE1USfalse

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:458930
                        Start date:03.08.2021
                        Start time:22:02:16
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 21s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:Swift Copy.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:21
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.4% (good quality ratio 0.4%)
                        • Quality average: 100%
                        • Quality standard deviation: 0%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 13.64.90.137, 52.114.133.61, 20.50.102.62, 40.88.32.150, 23.211.6.115, 104.42.151.234, 13.88.21.125, 20.54.110.249, 40.112.88.60, 8.248.143.254, 8.248.131.254, 8.248.149.254, 8.248.139.254, 8.248.147.254, 20.49.157.6, 80.67.82.211, 80.67.82.235, 20.82.210.154
                        • Excluded domains from analysis (whitelisted): browser.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcoleus05.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, browser.pipe.aria.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        22:03:22API Interceptor1x Sleep call for process: Swift Copy.exe modified
                        22:03:31API Interceptor700x Sleep call for process: RegSvcs.exe modified
                        22:03:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                        22:03:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        174.136.12.72POSH service quotation..exeGet hashmaliciousBrowse
                          DOC.exeGet hashmaliciousBrowse
                            PO#4500484210.exeGet hashmaliciousBrowse
                              SecuriteInfo.com.Trojan.Win32.Save.a.14998.exeGet hashmaliciousBrowse
                                SecuriteInfo.com.ArtemisD6F96E4A411B.20686.exeGet hashmaliciousBrowse
                                  PAYMENT COPY.exeGet hashmaliciousBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    uscentral50.myserverhosts.comPOSH service quotation..exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    DOC.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    PO#4500484210.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    SecuriteInfo.com.Trojan.Win32.Save.a.14998.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    SecuriteInfo.com.ArtemisD6F96E4A411B.20686.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    PAYMENT COPY.exeGet hashmaliciousBrowse
                                    • 174.136.12.72

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    ASMALLORANGE1USPOSH service quotation..exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    DOC.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    PO#4500484210.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    SecuriteInfo.com.Trojan.PackedNET.967.18099.exeGet hashmaliciousBrowse
                                    • 173.237.136.115
                                    SecuriteInfo.com.Trojan.Win32.Save.a.14998.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    SecuriteInfo.com.ArtemisD6F96E4A411B.20686.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    qq.exeGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    PAYMENT COPY.exeGet hashmaliciousBrowse
                                    • 174.136.12.72
                                    PreOrder.exeGet hashmaliciousBrowse
                                    • 129.121.2.208
                                    droxoUY6SU.exeGet hashmaliciousBrowse
                                    • 143.95.157.174
                                    CBI8Rv3xZ7.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    hcTYYoyYOS.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    CBI8Rv3xZ7.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    hcTYYoyYOS.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    f.xlsGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    50681.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    50681.dllGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    SecuriteInfo.com.VB.Trojan.Valyria.4710.541.xlsGet hashmaliciousBrowse
                                    • 207.210.192.60
                                    sample1.docGet hashmaliciousBrowse
                                    • 143.95.101.72
                                    statistic-1906694268((Unsaved-308830951474448751)).xlsbGet hashmaliciousBrowse
                                    • 149.47.136.230

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSOA.exeGet hashmaliciousBrowse
                                      POSH service quotation.exeGet hashmaliciousBrowse
                                        SOA.exeGet hashmaliciousBrowse
                                          epda.exeGet hashmaliciousBrowse
                                            POSH service quotation..exeGet hashmaliciousBrowse
                                              SWIFT REF GO 20210730SFT21020137.exeGet hashmaliciousBrowse
                                                HJKcEjrUuzYMV9X.exeGet hashmaliciousBrowse
                                                  est pda.exeGet hashmaliciousBrowse
                                                    BL COPY.exeGet hashmaliciousBrowse
                                                      DOC.exeGet hashmaliciousBrowse
                                                        statement.exeGet hashmaliciousBrowse
                                                          PO-K-128 IAN 340854.exeGet hashmaliciousBrowse
                                                            PO#4500484210.exeGet hashmaliciousBrowse
                                                              Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                                SQycD6hL4Y.exeGet hashmaliciousBrowse
                                                                  Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exeGet hashmaliciousBrowse
                                                                    PAYMENT INSTRUCTIONS COPY.exeGet hashmaliciousBrowse
                                                                      FINAL SHIPPING DOC..exeGet hashmaliciousBrowse
                                                                        Spare Parts Requisition-003,004.exeGet hashmaliciousBrowse
                                                                          PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exeGet hashmaliciousBrowse

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                            Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):142
                                                                            Entropy (8bit):5.090621108356562
                                                                            Encrypted:false
                                                                            SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                            MD5:8C0458BB9EA02D50565175E38D577E35
                                                                            SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                            SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                            SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy.exe.log
                                                                            Process:C:\Users\user\Desktop\Swift Copy.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1314
                                                                            Entropy (8bit):5.350128552078965
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                            C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):45152
                                                                            Entropy (8bit):6.149629800481177
                                                                            Encrypted:false
                                                                            SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                            MD5:2867A3817C9245F7CF518524DFD18F28
                                                                            SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                            SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                            SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                            Joe Sandbox View:
                                                                            • Filename: SOA.exe, Detection: malicious, Browse
                                                                            • Filename: POSH service quotation.exe, Detection: malicious, Browse
                                                                            • Filename: SOA.exe, Detection: malicious, Browse
                                                                            • Filename: epda.exe, Detection: malicious, Browse
                                                                            • Filename: POSH service quotation..exe, Detection: malicious, Browse
                                                                            • Filename: SWIFT REF GO 20210730SFT21020137.exe, Detection: malicious, Browse
                                                                            • Filename: HJKcEjrUuzYMV9X.exe, Detection: malicious, Browse
                                                                            • Filename: est pda.exe, Detection: malicious, Browse
                                                                            • Filename: BL COPY.exe, Detection: malicious, Browse
                                                                            • Filename: DOC.exe, Detection: malicious, Browse
                                                                            • Filename: statement.exe, Detection: malicious, Browse
                                                                            • Filename: PO-K-128 IAN 340854.exe, Detection: malicious, Browse
                                                                            • Filename: PO#4500484210.exe, Detection: malicious, Browse
                                                                            • Filename: Invoice no SS21-22185.exe, Detection: malicious, Browse
                                                                            • Filename: SQycD6hL4Y.exe, Detection: malicious, Browse
                                                                            • Filename: Aggiornamento ordine Quantit#U00e0__BFM Srl 117-28050-01.exe, Detection: malicious, Browse
                                                                            • Filename: PAYMENT INSTRUCTIONS COPY.exe, Detection: malicious, Browse
                                                                            • Filename: FINAL SHIPPING DOC..exe, Detection: malicious, Browse
                                                                            • Filename: Spare Parts Requisition-003,004.exe, Detection: malicious, Browse
                                                                            • Filename: PO NOAB1088 ALEMO INDUSTRIAL ENGINEERS.exe, Detection: malicious, Browse
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                            C:\Windows\System32\drivers\etc\hosts
                                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):11
                                                                            Entropy (8bit):2.663532754804255
                                                                            Encrypted:false
                                                                            SSDEEP:3:iLE:iLE
                                                                            MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                            SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                            SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                            SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                            Malicious:true
                                                                            Preview: ..127.0.0.1
                                                                            \Device\ConDrv
                                                                            Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1141
                                                                            Entropy (8bit):4.44831826838854
                                                                            Encrypted:false
                                                                            SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                            MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                            SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                            SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                            SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                            Malicious:false
                                                                            Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):6.897490184299401
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            File name:Swift Copy.exe
                                                                            File size:1136128
                                                                            MD5:2d6c5824ba1d09d610cf914f003c7276
                                                                            SHA1:3c3155f0f1dd4aa1a6848892cc75399da642662a
                                                                            SHA256:fa8025405c4c0290b63c2bbdf413edf496b729abe7bc791eb125f2c21895c842
                                                                            SHA512:e1fc9a2d3ae761c80b5dbe55e8337d507ab966d57eb6fe7def21cbf7f913a26c358a3f4308da8abe10b11ae981b6f4744a4031866eca5b82d7f93ae09706492a
                                                                            SSDEEP:24576:ZrOXgPVt25/d3F4JaKu4YkueiPUFPBBInmkaK14shf1:ZrOw7W4JaKpYkufUFPBBIfSsl1
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.................L...........k... ........@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:00828e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x516bde
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                            Time Stamp:0x6101F4C7 [Thu Jul 29 00:22:31 2021 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:v4.0.30319
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x116b900x4b.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1180000x5dc.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x114be40x114c00False0.617520078196data6.90263160898IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x1180000x5dc0x600False0.434244791667data4.16646798444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x11a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_VERSION0x1180a00x350data
                                                                            RT_MANIFEST0x1183f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Version Infos

                                                                            DescriptionData
                                                                            Translation0x0000 0x04b0
                                                                            LegalCopyrightCopyright Microsoft 2014
                                                                            Assembly Version1.0.0.0
                                                                            InternalNameWindowsIdenti.exe
                                                                            FileVersion1.0.0.0
                                                                            CompanyNameMicrosoft
                                                                            LegalTrademarks
                                                                            Comments
                                                                            ProductNameQManager
                                                                            ProductVersion1.0.0.0
                                                                            FileDescriptionQManager
                                                                            OriginalFilenameWindowsIdenti.exe

                                                                            Network Behavior

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Aug 3, 2021 22:04:54.364764929 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:54.508944035 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:54.509139061 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:54.753700972 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:54.755069017 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:54.899413109 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:54.899914026 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.047693968 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.088617086 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.244093895 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.244144917 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.244199038 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.244240999 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.244414091 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.246556044 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.292973042 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.437766075 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.488029003 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.525240898 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.669533968 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.671587944 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.815985918 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.817667961 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:55.962407112 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:55.963893890 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.107980013 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.108617067 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.254575968 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.255039930 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.399924994 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.402406931 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.402661085 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.403520107 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.403677940 CEST49763587192.168.2.4174.136.12.72
                                                                            Aug 3, 2021 22:04:56.546930075 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.546969891 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.547308922 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.547497034 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.551559925 CEST58749763174.136.12.72192.168.2.4
                                                                            Aug 3, 2021 22:04:56.597543955 CEST49763587192.168.2.4174.136.12.72

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Aug 3, 2021 22:02:57.423535109 CEST6464653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:57.448040009 CEST53646468.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:02:57.473395109 CEST6529853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:57.474607944 CEST5912353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:57.505815983 CEST53652988.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:02:57.509818077 CEST53591238.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:02:58.483784914 CEST5453153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:58.508745909 CEST53545318.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:02:59.068084002 CEST4971453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:59.104856014 CEST53497148.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:02:59.133707047 CEST5802853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:02:59.162662029 CEST53580288.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:00.260171890 CEST5309753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:00.284766912 CEST53530978.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:00.918720961 CEST4925753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:00.946536064 CEST53492578.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:02.717453957 CEST6238953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:02.744621992 CEST53623898.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:03.712205887 CEST4991053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:03.736911058 CEST53499108.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:05.254425049 CEST5585453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:05.289721012 CEST53558548.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:06.277419090 CEST6454953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:06.305207014 CEST53645498.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:07.265304089 CEST6315353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:07.293334007 CEST53631538.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:09.284343958 CEST5299153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:09.318967104 CEST53529918.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:10.274864912 CEST5370053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:10.308691978 CEST53537008.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:11.288121939 CEST5172653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:11.313097954 CEST53517268.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:13.134588003 CEST5679453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:13.169928074 CEST53567948.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:14.334008932 CEST5653453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:14.359016895 CEST53565348.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:17.125005960 CEST5662753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:17.158694983 CEST53566278.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:18.586122990 CEST5662153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:18.618570089 CEST53566218.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:20.723344088 CEST6311653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:20.758759975 CEST53631168.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:21.990706921 CEST6407853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:22.018146992 CEST53640788.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:23.020965099 CEST6480153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:23.053801060 CEST53648018.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:31.526838064 CEST6172153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:31.571511984 CEST53617218.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:47.547434092 CEST5125553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:47.610522985 CEST53512558.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:48.164588928 CEST6152253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:48.205210924 CEST53615228.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:48.708511114 CEST5233753192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:48.742765903 CEST5504653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:48.744028091 CEST53523378.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:48.784857035 CEST53550468.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:49.105143070 CEST4961253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:49.140714884 CEST53496128.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:49.624907970 CEST4928553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:49.659061909 CEST53492858.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:50.093146086 CEST5060153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:50.163908005 CEST53506018.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:50.654124022 CEST6087553192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:50.686862946 CEST53608758.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:51.122968912 CEST5644853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:51.247467041 CEST53564488.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:51.325472116 CEST5917253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:51.362121105 CEST53591728.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:52.179090023 CEST6242053192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:52.211628914 CEST53624208.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:03:52.517826080 CEST6057953192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:03:52.551470041 CEST53605798.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:05.512742996 CEST5018353192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:05.556143999 CEST53501838.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:05.618822098 CEST6153153192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:05.654009104 CEST53615318.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:07.927252054 CEST4922853192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:07.966846943 CEST53492288.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:41.924447060 CEST5979453192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:41.965981007 CEST53597948.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:43.412256956 CEST5591653192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:43.456047058 CEST53559168.8.8.8192.168.2.4
                                                                            Aug 3, 2021 22:04:54.303131104 CEST5275253192.168.2.48.8.8.8
                                                                            Aug 3, 2021 22:04:54.341016054 CEST53527528.8.8.8192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Aug 3, 2021 22:04:54.303131104 CEST192.168.2.48.8.8.80x5680Standard query (0)uscentral50.myserverhosts.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Aug 3, 2021 22:04:54.341016054 CEST8.8.8.8192.168.2.40x5680No error (0)uscentral50.myserverhosts.com174.136.12.72A (IP address)IN (0x0001)

                                                                            SMTP Packets

                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                            Aug 3, 2021 22:04:54.753700972 CEST58749763174.136.12.72192.168.2.4220-uscentral50.myserverhosts.com ESMTP Exim 4.93 #2 Tue, 03 Aug 2021 15:04:54 -0500
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Aug 3, 2021 22:04:54.755069017 CEST49763587192.168.2.4174.136.12.72EHLO 585948
                                                                            Aug 3, 2021 22:04:54.899413109 CEST58749763174.136.12.72192.168.2.4250-uscentral50.myserverhosts.com Hello 585948 [84.17.52.25]
                                                                            250-SIZE 52428800
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Aug 3, 2021 22:04:54.899914026 CEST49763587192.168.2.4174.136.12.72STARTTLS
                                                                            Aug 3, 2021 22:04:55.047693968 CEST58749763174.136.12.72192.168.2.4220 TLS go ahead

                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: Swift Copy.exe PID: 6596 Parent PID: 5800

                                                                            General

                                                                            Start time:22:03:03
                                                                            Start date:03/08/2021
                                                                            Path:C:\Users\user\Desktop\Swift Copy.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\Swift Copy.exe'
                                                                            Imagebase:0xa90000
                                                                            File size:1136128 bytes
                                                                            MD5 hash:2D6C5824BA1D09D610CF914F003C7276
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:low

                                                                            Analysis Process: RegSvcs.exe PID: 7108 Parent PID: 6596

                                                                            General

                                                                            Start time:22:03:22
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                            Imagebase:0xc40000
                                                                            File size:45152 bytes
                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp, Author: Joe Security
                                                                            Reputation:high

                                                                            Analysis Process: NXLun.exe PID: 6668 Parent PID: 3424

                                                                            General

                                                                            Start time:22:03:53
                                                                            Start date:03/08/2021
                                                                            Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                            Imagebase:0x320000
                                                                            File size:45152 bytes
                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Antivirus matches:
                                                                            • Detection: 0%, Metadefender, Browse
                                                                            • Detection: 0%, ReversingLabs
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 4832 Parent PID: 6668

                                                                            General

                                                                            Start time:22:03:54
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff724c50000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: NXLun.exe PID: 6900 Parent PID: 3424

                                                                            General

                                                                            Start time:22:04:02
                                                                            Start date:03/08/2021
                                                                            Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                            Imagebase:0x6a0000
                                                                            File size:45152 bytes
                                                                            MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:.Net C# or VB.NET
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 6992 Parent PID: 6900

                                                                            General

                                                                            Start time:22:04:02
                                                                            Start date:03/08/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff724c50000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >