Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT,pdf.exe

Overview

General Information

Sample Name:SWIFT,pdf.exe
Analysis ID:635167
MD5:01844ea0e93a3c408e3d37c577723b85
SHA1:80e590ab91b85948fc890a1726ca529de30c9a3c
SHA256:0605d3622a953ea5b976b34f80e5fd3704c6937644cb6fb11a88351aaf0d110c
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SWIFT,pdf.exe (PID: 480 cmdline: "C:\Users\user\Desktop\SWIFT,pdf.exe" MD5: 01844EA0E93A3C408E3D37C577723B85)
    • BackgroundTransferHost.exe (PID: 1428 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
    • SWIFT,pdf.exe (PID: 1428 cmdline: C:\Users\user\Desktop\SWIFT,pdf.exe MD5: 01844EA0E93A3C408E3D37C577723B85)
    • SWIFT,pdf.exe (PID: 4956 cmdline: C:\Users\user\Desktop\SWIFT,pdf.exe MD5: 01844EA0E93A3C408E3D37C577723B85)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "sandra.vasic@pickerr.com", "Password": "L@ur@24Filip04", "Host": "mail.your-server.de"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.SWIFT,pdf.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.SWIFT,pdf.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.SWIFT,pdf.exe.400000.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b92:$s10: logins
                • 0x325f9:$s11: credential
                • 0x2ebc4:$g1: get_Clipboard
                • 0x2ebd2:$g2: get_Keyboard
                • 0x2ebdf:$g3: get_Password
                • 0x2fede:$g4: get_CtrlKeyDown
                • 0x2feee:$g5: get_ShiftKeyDown
                • 0x2feff:$g6: get_AltKeyDown
                5.2.SWIFT,pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.SWIFT,pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 32 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:192.168.2.478.46.5.205497635872030171 05/27/22-16:17:51.099555
                    SID:2030171
                    Source Port:49763
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.478.46.5.205497635872840032 05/27/22-16:17:51.099661
                    SID:2840032
                    Source Port:49763
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sandra.vasic@pickerr.com", "Password": "L@ur@24Filip04", "Host": "mail.your-server.de"}
                    Multi AV Scanner detection for submitted file
                    Source: SWIFT,pdf.exeVirustotal: Detection: 46%Perma Link
                    Source: SWIFT,pdf.exeReversingLabs: Detection: 24%
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.SWIFT,pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.SWIFT,pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.SWIFT,pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: SWIFT,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: SWIFT,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49763 -> 78.46.5.205:587
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49763 -> 78.46.5.205:587
                    Source: Joe Sandbox ViewIP Address: 78.46.5.205 78.46.5.205
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 78.46.5.205:587
                    Source: global trafficTCP traffic: 192.168.2.4:49763 -> 78.46.5.205:587
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://RuEJKW.com
                    Source: SWIFT,pdf.exe, 00000005.00000002.507141679.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000002.507466470.00000000032DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ar78QkSNCRu5mqvP5Vd.org
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: SWIFT,pdf.exe, 00000005.00000002.507336543.00000000032CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.your-server.de
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SWIFT,pdf.exe, 00000000.00000003.252380663.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259330287.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259109067.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.251876573.00000000057ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SWIFT,pdf.exe, 00000000.00000003.252967761.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SWIFT,pdf.exe, 00000000.00000002.298260232.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259518641.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259142205.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259330287.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259109067.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259572889.00000000057E3000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.251876573.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259652752.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259617196.00000000057E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
                    Source: SWIFT,pdf.exe, 00000000.00000003.253878391.00000000057ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
                    Source: SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
                    Source: SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
                    Source: SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comE
                    Source: SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdiaF
                    Source: SWIFT,pdf.exe, 00000000.00000002.298139724.00000000057B0000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                    Source: SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                    Source: SWIFT,pdf.exe, 00000000.00000002.298139724.00000000057B0000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commx
                    Source: SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtuedN
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnh-cp
                    Source: SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnkM&
                    Source: SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
                    Source: SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
                    Source: SWIFT,pdf.exe, 00000000.00000003.256790318.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
                    Source: SWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: SWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                    Source: SWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                    Source: SWIFT,pdf.exe, 00000000.00000002.291715681.0000000000F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SWIFT,pdf.exe, 00000000.00000003.250276400.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250710433.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250529607.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250364352.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250669943.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250372591.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250441324.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250756551.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250477413.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250631867.00000000057ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comnlE
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: SWIFT,pdf.exeString found in binary or memory: https://github.com
                    Source: SWIFT,pdf.exeString found in binary or memory: https://github.com/dcoetzee/plants-vs-zombies-user-file-editor
                    Source: SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.your-server.de

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.SWIFT,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3b7e440.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3b49c20.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3b49c20.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.SWIFT,pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.7070000.11.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3b7e440.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.SWIFT,pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.7070000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 00000000.00000002.300286578.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b78704ED9u002d6B55u002d4178u002dABC6u002dB1633DCC5C8Au007d/u00302DD943Fu002dAE28u002d4089u002d8BB9u002d54032C3E4279.csLarge array initialization: .cctor: array initializer size 11643
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b78704ED9u002d6B55u002d4178u002dABC6u002dB1633DCC5C8Au007d/u00302DD943Fu002dAE28u002d4089u002d8BB9u002d54032C3E4279.csLarge array initialization: .cctor: array initializer size 11643
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b78704ED9u002d6B55u002d4178u002dABC6u002dB1633DCC5C8Au007d/u00302DD943Fu002dAE28u002d4089u002d8BB9u002d54032C3E4279.csLarge array initialization: .cctor: array initializer size 11643
                    Source: SWIFT,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.SWIFT,pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.3b7e440.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.3b49c20.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.SWIFT,pdf.exe.3b49c20.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.SWIFT,pdf.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.7070000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.SWIFT,pdf.exe.3b7e440.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.SWIFT,pdf.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.7070000.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 00000000.00000002.300286578.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E56180_2_058E5618
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E67AD0_2_058E67AD
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E67A70_2_058E67A7
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E67B40_2_058E67B4
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E67B00_2_058E67B0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E560C0_2_058E560C
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E56090_2_058E5609
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E56150_2_058E5615
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E56110_2_058E5611
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E51EC0_2_058E51EC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E51E80_2_058E51E8
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E51E10_2_058E51E1
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E51F00_2_058E51F0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_059000400_2_05900040
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_059000330_2_05900033
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0545F0805_2_0545F080
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_054561205_2_05456120
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0545F3C85_2_0545F3C8
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616CEC05_2_0616CEC0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616C1705_2_0616C170
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_06161FF85_2_06161FF8
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_061600405_2_06160040
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: String function: 06165A58 appears 53 times
                    Source: SWIFT,pdf.exeBinary or memory string: OriginalFilename vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOYRDZLpvrZJvXsHAlQKwUaPEPCSTNVpQy.exe4 vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000000.00000002.290683472.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImageFileMach.exe" vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOYRDZLpvrZJvXsHAlQKwUaPEPCSTNVpQy.exe4 vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000000.00000002.300286578.0000000007070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exeBinary or memory string: OriginalFilename vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000004.00000002.283748387.0000000000392000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImageFileMach.exe" vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exeBinary or memory string: OriginalFilename vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000005.00000000.288577010.0000000000C42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameImageFileMach.exe" vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOYRDZLpvrZJvXsHAlQKwUaPEPCSTNVpQy.exe4 vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exe, 00000005.00000002.502820388.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exeBinary or memory string: OriginalFilenameImageFileMach.exe" vs SWIFT,pdf.exe
                    Source: SWIFT,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SWIFT,pdf.exeVirustotal: Detection: 46%
                    Source: SWIFT,pdf.exeReversingLabs: Detection: 24%
                    Source: SWIFT,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SWIFT,pdf.exe "C:\Users\user\Desktop\SWIFT,pdf.exe"
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Users\user\Desktop\SWIFT,pdf.exe C:\Users\user\Desktop\SWIFT,pdf.exe
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Users\user\Desktop\SWIFT,pdf.exe C:\Users\user\Desktop\SWIFT,pdf.exe
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Users\user\Desktop\SWIFT,pdf.exe C:\Users\user\Desktop\SWIFT,pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT,pdf.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/1@1/1
                    Source: SWIFT,pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\CwOYFRQEv
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.SWIFT,pdf.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.SWIFT,pdf.exe.400000.6.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.SWIFT,pdf.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: SWIFT,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SWIFT,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E00DE push 8BF04589h; retf 0_2_058E00E3
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_058E6E1E push ds; ret 0_2_058E6E1F
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_059160E8 pushad ; retf 0_2_059160EA
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_05916211 pushad ; retf 0_2_05916212
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 0_2_05916253 pushad ; retf 0_2_0591625A
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616EE08 push 140614C3h; ret 5_2_0616EF1D
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4B5 push es; retf 5_2_0616B4B8
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4B1 push es; retf 5_2_0616B4B4
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4BD push es; retf 5_2_0616B4C0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4B9 push es; retf 5_2_0616B4BC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4AD push es; retf 5_2_0616B4B0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4A9 push es; retf 5_2_0616B4AC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4C5 push ss; retf 5_2_0616B4D0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B4C1 push es; retf 5_2_0616B4C4
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B225 push ss; retf 5_2_0616B264
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B271 push ss; retf 5_2_0616B2BC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B265 push ss; retf 5_2_0616B270
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616FA68 pushad ; retf 5_2_0616FA69
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B2BD push ss; retf 5_2_0616B2FC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B2FD push ss; retf 5_2_0616B308
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B309 push ss; retf 5_2_0616B354
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B355 push ss; retf 5_2_0616B3A0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3A1 push es; retf 5_2_0616B3C4
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3D5 push ss; retf 5_2_0616B394
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3D5 push es; retf 5_2_0616B3DC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3DD push ss; retf 5_2_0616B394
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3DD push ss; retf 5_2_0616B3EC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3C5 push ss; retf 5_2_0616B3A0
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3C5 push ss; retf 5_2_0616B3CC
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3CD push ss; retf 5_2_0616B394
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeCode function: 5_2_0616B3CD push ss; retf 5_2_0616B3D4
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.82024778382

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Moves itself to temp directory
                    Source: c:\users\user\desktop\swift,pdf.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG636.tmpJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 480, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SWIFT,pdf.exe, 00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SWIFT,pdf.exe, 00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exe TID: 1280Thread sleep time: -43731s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exe TID: 5244Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exe TID: 6120Thread sleep count: 3512 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exe TID: 6120Thread sleep count: 5504 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWindow / User API: threadDelayed 3512Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWindow / User API: threadDelayed 5504Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeThread delayed: delay time: 43731Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: SWIFT,pdf.exe, 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: SWIFT,pdf.exe, 00000005.00000003.317607620.000000000147D000.00000004.00000020.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000003.317810934.000000000149A000.00000004.00000020.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000002.503453846.000000000147D000.00000004.00000020.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000003.317182610.0000000001473000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll??
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeMemory written: C:\Users\user\Desktop\SWIFT,pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeProcess created: C:\Users\user\Desktop\SWIFT,pdf.exe C:\Users\user\Desktop\SWIFT,pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Users\user\Desktop\SWIFT,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Users\user\Desktop\SWIFT,pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.SWIFT,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b7e440.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b49c20.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b49c20.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b7e440.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.287160504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.287602943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.289277501.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 480, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 4956, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 4956, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.SWIFT,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b7e440.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b49c20.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b49c20.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3b7e440.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.SWIFT,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT,pdf.exe.3abaa00.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.287160504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.287602943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.289277501.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 480, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SWIFT,pdf.exe PID: 4956, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		11
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		Security Account Manager131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SWIFT,pdf.exe46%VirustotalBrowse
                    SWIFT,pdf.exe24%ReversingLabsByteCode-MSIL.Trojan.Generic

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.0.SWIFT,pdf.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.SWIFT,pdf.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    5.2.SWIFT,pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.SWIFT,pdf.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.SWIFT,pdf.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.SWIFT,pdf.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.sakkal.comnlE0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cnv-s0%Avira URL Cloudsafe
                    http://www.fontbureau.comdiaF0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cnn0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fontbureau.comgrita0%URL Reputationsafe
                    http://www.fontbureau.commx0%Avira URL Cloudsafe
                    http://www.fontbureau.comB.TTF0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/N0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.fontbureau.com70%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.fontbureau.comE0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnkM&0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.founder.com.cn/cnh-cp0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://RuEJKW.com0%Avira URL Cloudsafe
                    http://www.monotype.0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.fontbureau.comitu0%URL Reputationsafe
                    http://www.fontbureau.comtuedN0%Avira URL Cloudsafe
                    http://ar78QkSNCRu5mqvP5Vd.org0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/a0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.your-server.de
                    		78.46.5.205
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/dcoetzee/plants-vs-zombies-user-file-editorSWIFT,pdf.exefalse
                          		high
                          http://www.sakkal.comnlESWIFT,pdf.exe, 00000000.00000003.250276400.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250710433.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250529607.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250364352.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250669943.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250372591.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250441324.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250756551.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250477413.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250631867.00000000057ED000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.comSWIFT,pdf.exefalse
                                		high
                                http://www.founder.com.cn/cnv-sSWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comdiaFSWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSWIFT,pdf.exe, 00000000.00000003.252380663.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259330287.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259109067.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.251876573.00000000057ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org%%startupfolder%SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.goodfont.co.krSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnnSWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/7SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comgritaSWIFT,pdf.exe, 00000000.00000002.298139724.00000000057B0000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersersSWIFT,pdf.exe, 00000000.00000003.253878391.00000000057ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.commxSWIFT,pdf.exe, 00000000.00000002.298139724.00000000057B0000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comB.TTFSWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp//SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designerseSWIFT,pdf.exe, 00000000.00000002.298260232.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259518641.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259142205.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259330287.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259109067.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259572889.00000000057E3000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.251876573.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259652752.00000000057EB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259617196.00000000057E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsiSWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0SWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/NSWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com7SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.apache.org/licenses/LICENSE-2.0SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/SWIFT,pdf.exe, 00000000.00000003.256790318.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comESWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cnkM&SWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://mail.your-server.deSWIFT,pdf.exe, 00000005.00000002.507336543.00000000032CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnh-cpSWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/SWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comaSWIFT,pdf.exe, 00000000.00000003.259282190.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259671144.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259163600.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.259541752.00000000057BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNSWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnSWIFT,pdf.exe, 00000000.00000003.246812524.00000000057B4000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246960820.00000000057B6000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247128946.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247052636.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.247089450.00000000057B7000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.246878944.00000000057B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlSWIFT,pdf.exe, 00000000.00000003.252967761.00000000057ED000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://RuEJKW.comSWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.monotype.SWIFT,pdf.exe, 00000000.00000002.291715681.0000000000F77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8SWIFT,pdf.exe, 00000000.00000002.299032219.0000000006A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comituSWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comtuedNSWIFT,pdf.exe, 00000000.00000003.254539422.00000000057BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ar78QkSNCRu5mqvP5Vd.orgSWIFT,pdf.exe, 00000005.00000002.507141679.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000005.00000002.507466470.00000000032DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/aSWIFT,pdf.exe, 00000000.00000003.250284896.00000000057BC000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250123568.00000000057BB000.00000004.00000800.00020000.00000000.sdmp, SWIFT,pdf.exe, 00000000.00000003.250050537.00000000057BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    78.46.5.205
                                                    		mail.your-server.deGermany
                                                    		24940HETZNER-ASDEfalse

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:635167
                                                    Start date and time: 27/05/202216:16:092022-05-27 16:16:09 +02:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 11m 10s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:SWIFT,pdf.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:26
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@6/1@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 33.3%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 98%
                                                    • Number of executed functions: 48
                                                    • Number of non-executed functions: 12
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Adjust boot time
                                                    • Enable AMSI

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                    • Execution Graph export aborted for target SWIFT,pdf.exe, PID 1428 because there are no executed function
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    16:17:27API Interceptor635x Sleep call for process: SWIFT,pdf.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    78.46.5.205Swift,pdf.exeGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Trojan.Packed2.44221.26169.exeGet hashmaliciousBrowse
                                                        Invoice_FRUTTA.exeGet hashmaliciousBrowse
                                                          PI SK20220327 Confirmation & Shipping Documents.exeGet hashmaliciousBrowse
                                                            New order 9863298650#.exeGet hashmaliciousBrowse
                                                              Order list -BERN220819.exeGet hashmaliciousBrowse
                                                                Payment Swift_santander MT101.exeGet hashmaliciousBrowse
                                                                  Remittance Confirmation_swift M0198.exeGet hashmaliciousBrowse
                                                                    Bill of Lading 913286335.exeGet hashmaliciousBrowse
                                                                      AWB NOTICE - ORIGINAL SHIPPING DOCUMENTS.PDF.exeGet hashmaliciousBrowse
                                                                        AWB DHL 7214306201_Shipment Notification.exeGet hashmaliciousBrowse
                                                                          Purchase_Order_Confirmation Telex release for Import.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Trojan.PackedNET.624.6293.exeGet hashmaliciousBrowse
                                                                              GREY 2021 IN.xlsxGet hashmaliciousBrowse
                                                                                zy9maS0WQ0.exeGet hashmaliciousBrowse
                                                                                  http://blog.ploytrip.com/z9cr/Pages/UxiQlIomnGiGKODewvEaBYLyCJh/Get hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    mail.your-server.deSwift,pdf.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    SecuriteInfo.com.Trojan.Packed2.44221.26169.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Invoice_FRUTTA.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    PI SK20220327 Confirmation & Shipping Documents.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    New order 9863298650#.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Order list -BERN220819.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Payment Swift_santander MT101.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Remittance Confirmation_swift M0198.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Bill of Lading 913286335.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    AWB NOTICE - ORIGINAL SHIPPING DOCUMENTS.PDF.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    AWB DHL 7214306201_Shipment Notification.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    Purchase_Order_Confirmation Telex release for Import.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    SecuriteInfo.com.Trojan.PackedNET.624.6293.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    GREY 2021 IN.xlsxGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    zy9maS0WQ0.exeGet hashmaliciousBrowse
                                                                                    • 78.46.5.205
                                                                                    http://blog.ploytrip.com/z9cr/Pages/UxiQlIomnGiGKODewvEaBYLyCJh/Get hashmaliciousBrowse
                                                                                    • 78.46.5.205

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    HETZNER-ASDEhttps://serlibrecapacitacion.com/v9/Get hashmaliciousBrowse
                                                                                    • 135.181.58.223
                                                                                    making_a_contract_legally_binding_30040.jsGet hashmaliciousBrowse
                                                                                    • 94.130.24.150
                                                                                    recibo.exeGet hashmaliciousBrowse
                                                                                    • 168.119.38.32
                                                                                    LdbyBADfIR.exeGet hashmaliciousBrowse
                                                                                    • 148.251.234.83
                                                                                    illegalargumentexception_comparison_method_violates_its_general_contra 70051.jsGet hashmaliciousBrowse
                                                                                    • 94.130.24.150
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.6442.exeGet hashmaliciousBrowse
                                                                                    • 116.202.230.200
                                                                                    kyTwt6MpdH.exeGet hashmaliciousBrowse
                                                                                    • 148.251.234.83
                                                                                    ZmzUNJmCH1.dllGet hashmaliciousBrowse
                                                                                    • 78.47.204.80
                                                                                    SecuriteInfo.com.generic.ml.22865.exeGet hashmaliciousBrowse
                                                                                    • 5.9.197.244
                                                                                    CWU0uX3bV5Get hashmaliciousBrowse
                                                                                    • 95.217.252.212
                                                                                    http://frameboxxindore.comGet hashmaliciousBrowse
                                                                                    • 46.4.104.244
                                                                                    SecuriteInfo.com.XLM.Trojan.Abracadabra.8.Gen.19319.xlsGet hashmaliciousBrowse
                                                                                    • 95.217.145.167
                                                                                    Kn7vI9IYMc3QOV4.exeGet hashmaliciousBrowse
                                                                                    • 78.46.144.83
                                                                                    N2ggWMNLYe.exeGet hashmaliciousBrowse
                                                                                    • 94.130.174.62
                                                                                    zjvhG6HAq4Get hashmaliciousBrowse
                                                                                    • 94.130.241.82
                                                                                    341HRlT4n3Get hashmaliciousBrowse
                                                                                    • 95.217.66.135
                                                                                    Setup.exeGet hashmaliciousBrowse
                                                                                    • 95.217.225.59
                                                                                    FORTNITEA.exeGet hashmaliciousBrowse
                                                                                    • 176.9.247.226
                                                                                    ADOBE PHOTOSHOP.exeGet hashmaliciousBrowse
                                                                                    • 159.69.101.96
                                                                                    omiZor5tdGGet hashmaliciousBrowse
                                                                                    • 88.198.32.239

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT,pdf.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1308
                                                                                    Entropy (8bit):5.345811588615766
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                    Malicious:true
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.820224390379348
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    File name:SWIFT,pdf.exe
                                                                                    File size:749056
                                                                                    MD5:01844ea0e93a3c408e3d37c577723b85
                                                                                    SHA1:80e590ab91b85948fc890a1726ca529de30c9a3c
                                                                                    SHA256:0605d3622a953ea5b976b34f80e5fd3704c6937644cb6fb11a88351aaf0d110c
                                                                                    SHA512:5c690b8492f5dd8211b5f9c2883782d7aee9db8fa1e4eab715a1c0582b3a4df73d69a0b90193e5ea7613759635109fe7fb064dfd9967ee0dbb22730830e03c3b
                                                                                    SSDEEP:12288:uxdZ9bHoAU/vqVGy3hfiZsRxINqlraIWSA8xTR8YWKfUJlRqyn7dXjg/t:ux5bHo5y3hwixlraIWojcwynJ+t
                                                                                    TLSH:C5F4F180707A4863C2AC15F941A1F5801BBC9D276D1DE1C76CC279CFB8E6F898ACE957
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b.....................Z.......1... ...@....@.. ....................................@................................

                                                                                    File Icon

                                                                                    Icon Hash:4462f276dcec30e6

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4b31d2
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0x629018AA [Fri May 27 00:17:46 2022 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb31780x57.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x5788.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xb11d80xb1200False0.886924124471data7.82024778382IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xb40000x57880x5800False0.964533025568data7.90382013915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xba0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0xb41300x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                    RT_GROUP_ICON0xb92d40x14data
                                                                                    RT_VERSION0xb92e80x2ecdata
                                                                                    RT_MANIFEST0xb95d40x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyright
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameImageFileMach.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyName
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductName
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescription
                                                                                    OriginalFilenameImageFileMach.exe

                                                                                    Network Behavior

                                                                                    Snort IDS Alerts

                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                    192.168.2.478.46.5.205497635872030171 05/27/22-16:17:51.099555TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49763587192.168.2.478.46.5.205
                                                                                    192.168.2.478.46.5.205497635872840032 05/27/22-16:17:51.099661TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249763587192.168.2.478.46.5.205

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 27, 2022 16:17:49.427047014 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:49.448726892 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:49.448837996 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:49.472358942 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:49.535193920 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:50.351075888 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:50.373107910 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:50.431512117 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:50.453226089 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:50.535346985 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:50.912290096 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:50.976419926 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:50.984155893 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:50.995080948 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.019408941 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.054641008 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.076780081 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.077076912 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.098633051 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.098654985 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.099555016 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.099661112 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.100368977 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.100446939 CEST49763587192.168.2.478.46.5.205
                                                                                    May 27, 2022 16:17:51.120975018 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.121015072 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.121656895 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.121726036 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.123563051 CEST5874976378.46.5.205192.168.2.4
                                                                                    May 27, 2022 16:17:51.222820997 CEST49763587192.168.2.478.46.5.205

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 27, 2022 16:17:49.336064100 CEST6427753192.168.2.48.8.8.8
                                                                                    May 27, 2022 16:17:49.354921103 CEST53642778.8.8.8192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    May 27, 2022 16:17:49.336064100 CEST192.168.2.48.8.8.80x953fStandard query (0)mail.your-server.deA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    May 27, 2022 16:17:49.354921103 CEST8.8.8.8192.168.2.40x953fNo error (0)mail.your-server.de78.46.5.205A (IP address)IN (0x0001)

                                                                                    SMTP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                    May 27, 2022 16:17:49.472358942 CEST5874976378.46.5.205192.168.2.4220 sslproxy02.your-server.de Exim ESMTP Service ready
                                                                                    May 27, 2022 16:17:50.351075888 CEST49763587192.168.2.478.46.5.205EHLO 376483
                                                                                    May 27, 2022 16:17:50.373107910 CEST5874976378.46.5.205192.168.2.4250-sslproxy02.your-server.de Hello 376483 [102.129.143.42]
                                                                                    250-SIZE 104857600
                                                                                    250-8BITMIME
                                                                                    250-ETRN
                                                                                    250-PIPELINING
                                                                                    250-AUTH LOGIN PLAIN
                                                                                    250-CHUNKING
                                                                                    250-STARTTLS
                                                                                    250 HELP
                                                                                    May 27, 2022 16:17:50.431512117 CEST49763587192.168.2.478.46.5.205AUTH login c2FuZHJhLnZhc2ljQHBpY2tlcnIuY29t
                                                                                    May 27, 2022 16:17:50.453226089 CEST5874976378.46.5.205192.168.2.4334 UGFzc3dvcmQ6
                                                                                    May 27, 2022 16:17:50.984155893 CEST5874976378.46.5.205192.168.2.4235 Authentication succeeded
                                                                                    May 27, 2022 16:17:50.995080948 CEST49763587192.168.2.478.46.5.205MAIL FROM:<sandra.vasic@pickerr.com>
                                                                                    May 27, 2022 16:17:51.019408941 CEST5874976378.46.5.205192.168.2.4250 OK
                                                                                    May 27, 2022 16:17:51.054641008 CEST49763587192.168.2.478.46.5.205RCPT TO:<ceo-speedbs@dr.com>
                                                                                    May 27, 2022 16:17:51.076780081 CEST5874976378.46.5.205192.168.2.4250 Accepted
                                                                                    May 27, 2022 16:17:51.077076912 CEST49763587192.168.2.478.46.5.205DATA
                                                                                    May 27, 2022 16:17:51.098654985 CEST5874976378.46.5.205192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                                    May 27, 2022 16:17:51.100446939 CEST49763587192.168.2.478.46.5.205.
                                                                                    May 27, 2022 16:17:51.123563051 CEST5874976378.46.5.205192.168.2.4250 OK id=1nuaml-000Vt8-2q

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:16:17:12
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\SWIFT,pdf.exe"
                                                                                    Imagebase:0x350000
                                                                                    File size:749056 bytes
                                                                                    MD5 hash:01844EA0E93A3C408E3D37C577723B85
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.292324885.000000000286F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.292711818.0000000002984000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.295567908.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.300286578.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                    Reputation:low

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:16:17:18
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                    Imagebase:0x7ff74bbf0000
                                                                                    File size:36864 bytes
                                                                                    MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:16:17:34
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    Imagebase:0x390000
                                                                                    File size:749056 bytes
                                                                                    MD5 hash:01844EA0E93A3C408E3D37C577723B85
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:16:17:35
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\SWIFT,pdf.exe
                                                                                    Imagebase:0xc40000
                                                                                    File size:749056 bytes
                                                                                    MD5 hash:01844EA0E93A3C408E3D37C577723B85
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.288508913.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.501638862.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287160504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287160504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.287602943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.287602943.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.289277501.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.289277501.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.504275024.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Executed Functions

                                                                                      Function 05900040 Relevance: 19.6, Instructions: 19609COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298764138.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_5900000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8af954fda65c2feeb0d6458d330a1012c4839557544a9b77b9015cdf7e4e37d2
                                                                                      • Instruction ID: 1499ba75a4dfb7691a422a2da98aac1f2cb01805ff0c53e23474a6749e676451
                                                                                      • Opcode Fuzzy Hash: 8af954fda65c2feeb0d6458d330a1012c4839557544a9b77b9015cdf7e4e37d2
                                                                                      • Instruction Fuzzy Hash: F7A4F634E107198FD765EF34C854A9AB3B2FF89308F5045AAD50AAB350EB31AE85CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05900033 Relevance: 19.6, Instructions: 19598COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298764138.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_5900000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cc1631f8bb6133dbbd4daa37dd4b45020caf3f1124aa4808dec0b86e6859b8e0
                                                                                      • Instruction ID: c4bfacbc65000f381df4ed08ed88a374158df752d7f71312e74138e40e7a7900
                                                                                      • Opcode Fuzzy Hash: cc1631f8bb6133dbbd4daa37dd4b45020caf3f1124aa4808dec0b86e6859b8e0
                                                                                      • Instruction Fuzzy Hash: E1A4F634E107198FD765EF34C854A9AB3B2FF89308F5045AAD50AAB350EB31AE85CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E5618 Relevance: 2.2, Strings: 1, Instructions: 983COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: UUUU
                                                                                      • API String ID: 0-1798160573
                                                                                      • Opcode ID: b63fb8f30bd7f7e682c9728f3551663cc49a99de9bf6b86d1ca8a67bd067ba66
                                                                                      • Instruction ID: 2b4c627dc25b3d9bd7e163fc58aeea5bf243281f5f905d823575409413a340f3
                                                                                      • Opcode Fuzzy Hash: b63fb8f30bd7f7e682c9728f3551663cc49a99de9bf6b86d1ca8a67bd067ba66
                                                                                      • Instruction Fuzzy Hash: B2A2A275A04628CFDB64CF69C984A9DBBB2FF89304F1581E9D509AB325DB319E81CF40
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EEDD8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 058EF00E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateProcess
                                                                                      • String ID:
                                                                                      • API String ID: 963392458-0
                                                                                      • Opcode ID: 65abd8c5aa9036f46bdcd9119df5bcf9043300bf98c5d8a07bfc73e9aa245260
                                                                                      • Instruction ID: cf6eabb4e54ed67e5d00707fc01f43924e573cfc91c4b76d6cd7f481293926a1
                                                                                      • Opcode Fuzzy Hash: 65abd8c5aa9036f46bdcd9119df5bcf9043300bf98c5d8a07bfc73e9aa245260
                                                                                      • Instruction Fuzzy Hash: C3916931D04229DFDF20CFA4C881BEDBAB6BF49314F0485A9E949E7240DB749985CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EEAC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058EEB50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3559483778-0
                                                                                      • Opcode ID: 08c539704cb59bc8085d400ad0f450c176e3eeba855a4cba97501466fc65febc
                                                                                      • Instruction ID: d5d000fea9c9c277ad948f098d0f339deaed2afd05d09a8a2b1764b2945ea652
                                                                                      • Opcode Fuzzy Hash: 08c539704cb59bc8085d400ad0f450c176e3eeba855a4cba97501466fc65febc
                                                                                      • Instruction Fuzzy Hash: 9121F5719003599FDB10CFA9C884BDEBBF5FF48314F14842AE959A7240D7789944DBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EE838 Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 058EE8B6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: ContextThread
                                                                                      • String ID:
                                                                                      • API String ID: 1591575202-0
                                                                                      • Opcode ID: 5852222de48e6fa7e2f3df17caf54273c55a3b594a55f326915218cb72425dcc
                                                                                      • Instruction ID: 0244a5fb8d1665843a232051a155954a70f045df614db41018995cd668ab41a9
                                                                                      • Opcode Fuzzy Hash: 5852222de48e6fa7e2f3df17caf54273c55a3b594a55f326915218cb72425dcc
                                                                                      • Instruction Fuzzy Hash: 5E213571D043598FDB10CFAAC4857EEBBF4EF49324F54842AD919A7240DB78A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EEBE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058EEC60
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessRead
                                                                                      • String ID:
                                                                                      • API String ID: 1726664587-0
                                                                                      • Opcode ID: 57f6a87e4341e42f4d9896acda2c0f0b090691f97d206e530aa0e4907e2dd978
                                                                                      • Instruction ID: f9bce87bc84e73a15f5a87ee6219b263b38d34b6606911a417d6da75d469813f
                                                                                      • Opcode Fuzzy Hash: 57f6a87e4341e42f4d9896acda2c0f0b090691f97d206e530aa0e4907e2dd978
                                                                                      • Instruction Fuzzy Hash: 6F211671D002599FCB10CFA9C884AEEBBB5FF48314F51842AE919A7240D7749944DBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EE9D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058EEA3E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 6c1556a938487a2b26944af5e6409c34ea3af5d54cc8d69a23a6feaddc266e8c
                                                                                      • Instruction ID: eece0608f35af55536d1e79e3173fe8ada299827569de0a6b8dbf6ef0a8ad20f
                                                                                      • Opcode Fuzzy Hash: 6c1556a938487a2b26944af5e6409c34ea3af5d54cc8d69a23a6feaddc266e8c
                                                                                      • Instruction Fuzzy Hash: 8E1137719042489FCF10CFA9C844BDFBBF5AF48324F148819E615A7250C7759944DFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058EE758 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: ResumeThread
                                                                                      • String ID:
                                                                                      • API String ID: 947044025-0
                                                                                      • Opcode ID: 55310b0e32a64ffa4e7adee6f2b995a3aeba3e73f48aa68a107e92c3604fa5b1
                                                                                      • Instruction ID: c3c1e16f5c103c02872a3b50c9e9be83d772002cb6b5777aaad003a5d133c034
                                                                                      • Opcode Fuzzy Hash: 55310b0e32a64ffa4e7adee6f2b995a3aeba3e73f48aa68a107e92c3604fa5b1
                                                                                      • Instruction Fuzzy Hash: 33113671D043488BCB10DFAAC8447EEFBF9AF89224F15882AD519B7740DB74A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 058E5609 Relevance: .2, Instructions: 243COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b9ec3e59c1f4a8a8ef3c1de1a9cac2c3107b3ad0203e6be8e3e1b17a219bfb23
                                                                                      • Instruction ID: f6949505ff8c97d25d7737ff8a6c7e150e18ad3eb31bfea18c12915385865dc6
                                                                                      • Opcode Fuzzy Hash: b9ec3e59c1f4a8a8ef3c1de1a9cac2c3107b3ad0203e6be8e3e1b17a219bfb23
                                                                                      • Instruction Fuzzy Hash: 17C17375E006588FDB58CF6AD944ADDBBF2AF89304F14C0AAD909AB364DB305E81CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E560C Relevance: .2, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 65b99c912cd040eeec71c78a97fd8b9981d041892fe3987da5cbbc83b6aca723
                                                                                      • Instruction ID: 2ad9f21e87c5d5ace8e700e5c1f7b582025d277b46a6c1669a0aec14ee1b9081
                                                                                      • Opcode Fuzzy Hash: 65b99c912cd040eeec71c78a97fd8b9981d041892fe3987da5cbbc83b6aca723
                                                                                      • Instruction Fuzzy Hash: 6DC17375E006598FDB58CF6AD944ADDBBF2AF89304F14C0AAD909AB324DB305E81CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E5611 Relevance: .2, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 076e27e2817007ce5669a7fea3f6327e99baf258a0a083ed3501614a7326b5fc
                                                                                      • Instruction ID: 875451b2ffbb699feae8e1f19cd5948d9298252bbde34c3fa3288c4fe3540da7
                                                                                      • Opcode Fuzzy Hash: 076e27e2817007ce5669a7fea3f6327e99baf258a0a083ed3501614a7326b5fc
                                                                                      • Instruction Fuzzy Hash: 2DC17375E006598FDB58CF6AD944ADDBBF2AF89304F14C0AAD909AB364DB305E81CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E5615 Relevance: .2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 69560beeade44b2984deb283e634f7c62ffcc2a4b7ae8f3437cd75babd3b19ca
                                                                                      • Instruction ID: 1855b62b6c5e17fe10ddf839e016af248695cccbabf53682e811258b164c4e51
                                                                                      • Opcode Fuzzy Hash: 69560beeade44b2984deb283e634f7c62ffcc2a4b7ae8f3437cd75babd3b19ca
                                                                                      • Instruction Fuzzy Hash: 27C16475E006598FDB58CF6AD944ADDBBF2AF89304F14C0AAD909AB364DB305E81CF50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E51E8 Relevance: .2, Instructions: 161COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6a3a66902bc57ae0279aa75694cd5dc77259d6af08c1cfa7ea8cf85be11c2f50
                                                                                      • Instruction ID: 11c4130963774b24f634cb9037362ec8818a7354af86ddad576d98a84de8ee3c
                                                                                      • Opcode Fuzzy Hash: 6a3a66902bc57ae0279aa75694cd5dc77259d6af08c1cfa7ea8cf85be11c2f50
                                                                                      • Instruction Fuzzy Hash: AE616D71D14648DFD748EFAAE88569E7BF3AFC8308F14C429E004AB368DF7169068B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E51EC Relevance: .2, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b0ef231abe2ea87f25fa46ffe8896f619985f420c3f59cc126b80cac64495a03
                                                                                      • Instruction ID: 2c39b3280efeca3217486c0f3a524e8e67ebca69cd3f0825824ce6e88a597ef0
                                                                                      • Opcode Fuzzy Hash: b0ef231abe2ea87f25fa46ffe8896f619985f420c3f59cc126b80cac64495a03
                                                                                      • Instruction Fuzzy Hash: FD615D71D14648DFD748DFAAE88578E7BF2AFC8208F14C469E004AB368DF7169068B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E51E1 Relevance: .2, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c641b4f9e87c72717fbc4408caed3c446379c7eb2e4a00d1b2902d61f562d784
                                                                                      • Instruction ID: 1b31f10cd3ad01db1fcc91a2bd339f5ade343e95d3b0b8f0d25afb6e65f30607
                                                                                      • Opcode Fuzzy Hash: c641b4f9e87c72717fbc4408caed3c446379c7eb2e4a00d1b2902d61f562d784
                                                                                      • Instruction Fuzzy Hash: EC615D71D14648DFD748EFBAE48568E7BF3AFC8208B14C46AE004AB368DF7169068B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E51F0 Relevance: .2, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7f5f1a734b17403d74e6aa15bfa69ac62deb9f8703d3ef98ba62b9e888d08b18
                                                                                      • Instruction ID: 0b7520a438d73f774d4f9a5603a25ba4946ad24e557bbd667e0aece89a6d6073
                                                                                      • Opcode Fuzzy Hash: 7f5f1a734b17403d74e6aa15bfa69ac62deb9f8703d3ef98ba62b9e888d08b18
                                                                                      • Instruction Fuzzy Hash: 24615D71D14648DFD748EFAAE88568E7BF2AFC8208F14C469E104AB368DF7169068B51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E67A7 Relevance: .1, Instructions: 93COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dc869f5d4df418086865b1724309105fd67c678560a13a25b90050531e8618ed
                                                                                      • Instruction ID: c2009adfb6626b65d8184fa571f26297d715f6761bfd8efc04f31d299ccec309
                                                                                      • Opcode Fuzzy Hash: dc869f5d4df418086865b1724309105fd67c678560a13a25b90050531e8618ed
                                                                                      • Instruction Fuzzy Hash: 874125B1E056188BEB1CCF6B9C4469EFAF7BFC9200F14C1BA980DAA254EB310955CF11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E67B0 Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dec9ee87c586f36e60c78e0611bf1064c0ad44a30bd8d49072eddb3cf68b6d2f
                                                                                      • Instruction ID: b9fa52794d2bb5e5ecfbb729f07e0404bbc9d7847293c573240b22a17343c3b8
                                                                                      • Opcode Fuzzy Hash: dec9ee87c586f36e60c78e0611bf1064c0ad44a30bd8d49072eddb3cf68b6d2f
                                                                                      • Instruction Fuzzy Hash: 664103B1E056588BEB1CCF6B9C4469EFAF7BFC9204F14C1BA980DAA254EB310955CF11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E67AD Relevance: .1, Instructions: 90COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5b32d5e97167d060fe71aba7a712542e33bfcbbcdc7a10300d44398fe383cb5d
                                                                                      • Instruction ID: caa9efe24daf7ef9757e0643fe0300ae21e9e8472fc99e9807e71086365e2e8d
                                                                                      • Opcode Fuzzy Hash: 5b32d5e97167d060fe71aba7a712542e33bfcbbcdc7a10300d44398fe383cb5d
                                                                                      • Instruction Fuzzy Hash: 8C4101B1E056588BEB1CCF6B9D4469AFAF3BFC9200F14C1BA980DAA254EB310955CF11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 058E67B4 Relevance: .1, Instructions: 89COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298620200.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_58e0000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 14b5304c7c313d72f90161bbc4f043ffb16b8544dfa6a4c6e43fd94eeba8d4fb
                                                                                      • Instruction ID: ac73a6ea36dd9dd5569c959ccd71b8e78f05c36c15f4fc3d68a1ae755039112e
                                                                                      • Opcode Fuzzy Hash: 14b5304c7c313d72f90161bbc4f043ffb16b8544dfa6a4c6e43fd94eeba8d4fb
                                                                                      • Instruction Fuzzy Hash: 764102B1E056588BEB1CCF6B9D4069EFAF3BFC9200F14C1BA980CAA254EB3109558F11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Execution Graph

                                                                                      Execution Coverage:19.6%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:221
                                                                                      Total number of Limit Nodes:2
                                                                                      execution_graph 27397 5454540 27398 5454554 27397->27398 27401 545478a 27398->27401 27399 545455d 27402 5454793 27401->27402 27407 5454986 27401->27407 27412 545485f 27401->27412 27417 545496c 27401->27417 27422 5454870 27401->27422 27402->27399 27408 5454999 27407->27408 27409 54549ab 27407->27409 27427 5454c67 27408->27427 27432 5454c78 27408->27432 27413 5454870 27412->27413 27414 54549ab 27413->27414 27415 5454c67 2 API calls 27413->27415 27416 5454c78 2 API calls 27413->27416 27415->27414 27416->27414 27418 545491f 27417->27418 27418->27417 27419 54549ab 27418->27419 27420 5454c67 2 API calls 27418->27420 27421 5454c78 2 API calls 27418->27421 27420->27419 27421->27419 27423 54548b4 27422->27423 27424 54549ab 27423->27424 27425 5454c67 2 API calls 27423->27425 27426 5454c78 2 API calls 27423->27426 27425->27424 27426->27424 27428 5454c86 27427->27428 27437 5454cb9 27428->27437 27441 5454cc8 27428->27441 27429 5454c96 27429->27409 27433 5454c86 27432->27433 27435 5454cb9 RtlEncodePointer 27433->27435 27436 5454cc8 RtlEncodePointer 27433->27436 27434 5454c96 27434->27409 27435->27434 27436->27434 27438 5454cc8 27437->27438 27439 5454d2c RtlEncodePointer 27438->27439 27440 5454d55 27438->27440 27439->27440 27440->27429 27442 5454d02 27441->27442 27443 5454d2c RtlEncodePointer 27442->27443 27444 5454d55 27442->27444 27443->27444 27444->27429 27449 5450850 27450 545085d 27449->27450 27454 6166038 27450->27454 27459 6166048 27450->27459 27451 545086f 27455 6166047 27454->27455 27464 6166c28 27455->27464 27469 6166c19 27455->27469 27456 61660db 27456->27451 27460 6166068 27459->27460 27462 6166c28 41 API calls 27460->27462 27463 6166c19 41 API calls 27460->27463 27461 61660db 27461->27451 27462->27461 27463->27461 27466 6166c31 27464->27466 27465 6166d25 27465->27456 27466->27465 27474 6166d30 27466->27474 27504 6166d40 27466->27504 27471 6166c31 27469->27471 27470 6166d25 27470->27456 27471->27470 27472 6166d30 41 API calls 27471->27472 27473 6166d40 41 API calls 27471->27473 27472->27471 27473->27471 27475 6166d3a 27474->27475 27476 6166d87 27474->27476 27475->27476 27534 6167c96 27475->27534 27540 61680e9 27475->27540 27544 6167e6f 27475->27544 27550 6167be5 27475->27550 27556 6167de5 27475->27556 27562 6168173 27475->27562 27566 6167eca 27475->27566 27570 6167b5b 27475->27570 27576 6167d5b 27475->27576 27582 6167c5b 27475->27582 27588 616805f 27475->27588 27592 6167fde 27475->27592 27596 6167cd1 27475->27596 27602 6167f54 27475->27602 27606 6167e2a 27475->27606 27612 616812e 27475->27612 27616 6167ba0 27475->27616 27622 6167da0 27475->27622 27628 6167c20 27475->27628 27634 61680a4 27475->27634 27638 61681bb 27475->27638 27642 6167b3a 27475->27642 27648 6167f0f 27475->27648 27652 6168203 27475->27652 27656 6167f99 27475->27656 27660 616801a 27475->27660 27664 6167d16 27475->27664 27505 6166d5f 27504->27505 27506 6166d87 27505->27506 27507 6167c96 2 API calls 27505->27507 27508 6167d16 2 API calls 27505->27508 27509 616801a KiUserExceptionDispatcher 27505->27509 27510 6167f99 KiUserExceptionDispatcher 27505->27510 27511 6168203 KiUserExceptionDispatcher 27505->27511 27512 6167f0f KiUserExceptionDispatcher 27505->27512 27513 6167b3a 2 API calls 27505->27513 27514 61681bb KiUserExceptionDispatcher 27505->27514 27515 61680a4 KiUserExceptionDispatcher 27505->27515 27516 6167c20 2 API calls 27505->27516 27517 6167da0 2 API calls 27505->27517 27518 6167ba0 2 API calls 27505->27518 27519 616812e KiUserExceptionDispatcher 27505->27519 27520 6167e2a 2 API calls 27505->27520 27521 6167f54 KiUserExceptionDispatcher 27505->27521 27522 6167cd1 2 API calls 27505->27522 27523 6167fde KiUserExceptionDispatcher 27505->27523 27524 616805f KiUserExceptionDispatcher 27505->27524 27525 6167c5b 2 API calls 27505->27525 27526 6167d5b 2 API calls 27505->27526 27527 6167b5b 2 API calls 27505->27527 27528 6167eca KiUserExceptionDispatcher 27505->27528 27529 6168173 KiUserExceptionDispatcher 27505->27529 27530 6167de5 2 API calls 27505->27530 27531 6167be5 2 API calls 27505->27531 27532 6167e6f 2 API calls 27505->27532 27533 61680e9 KiUserExceptionDispatcher 27505->27533 27507->27506 27508->27506 27509->27506 27510->27506 27511->27506 27512->27506 27513->27506 27514->27506 27515->27506 27516->27506 27517->27506 27518->27506 27519->27506 27520->27506 27521->27506 27522->27506 27523->27506 27524->27506 27525->27506 27526->27506 27527->27506 27528->27506 27529->27506 27530->27506 27531->27506 27532->27506 27533->27506 27535 6167ca7 27534->27535 27536 6167e93 KiUserExceptionDispatcher 27535->27536 27537 6167eaf KiUserExceptionDispatcher 27536->27537 27539 6168249 27537->27539 27539->27476 27541 61680fa 27540->27541 27542 616822a KiUserExceptionDispatcher 27541->27542 27543 6168249 27542->27543 27543->27476 27545 6167e80 27544->27545 27546 6167e93 KiUserExceptionDispatcher 27545->27546 27547 6167eaf KiUserExceptionDispatcher 27546->27547 27549 6168249 27547->27549 27549->27476 27551 6167bf6 27550->27551 27552 6167e93 KiUserExceptionDispatcher 27551->27552 27553 6167eaf KiUserExceptionDispatcher 27552->27553 27555 6168249 27553->27555 27555->27476 27557 6167df6 27556->27557 27558 6167e93 KiUserExceptionDispatcher 27557->27558 27559 6167eaf KiUserExceptionDispatcher 27558->27559 27561 6168249 27559->27561 27561->27476 27563 6168184 27562->27563 27564 616822a KiUserExceptionDispatcher 27563->27564 27565 6168249 27564->27565 27565->27476 27567 6167edb 27566->27567 27568 616822a KiUserExceptionDispatcher 27567->27568 27569 6168249 27568->27569 27569->27476 27571 6167b6c 27570->27571 27572 6167e93 KiUserExceptionDispatcher 27571->27572 27573 6167eaf KiUserExceptionDispatcher 27572->27573 27575 6168249 27573->27575 27575->27476 27577 6167d6c 27576->27577 27578 6167e93 KiUserExceptionDispatcher 27577->27578 27579 6167eaf KiUserExceptionDispatcher 27578->27579 27581 6168249 27579->27581 27581->27476 27583 6167c6c 27582->27583 27584 6167e93 KiUserExceptionDispatcher 27583->27584 27585 6167eaf KiUserExceptionDispatcher 27584->27585 27587 6168249 27585->27587 27587->27476 27589 6168070 27588->27589 27590 616822a KiUserExceptionDispatcher 27589->27590 27591 6168249 27590->27591 27591->27476 27593 6167fef 27592->27593 27594 616822a KiUserExceptionDispatcher 27593->27594 27595 6168249 27594->27595 27595->27476 27597 6167ce2 27596->27597 27598 6167e93 KiUserExceptionDispatcher 27597->27598 27599 6167eaf KiUserExceptionDispatcher 27598->27599 27601 6168249 27599->27601 27601->27476 27603 6167f65 27602->27603 27604 616822a KiUserExceptionDispatcher 27603->27604 27605 6168249 27604->27605 27605->27476 27607 6167e3b 27606->27607 27608 6167e93 KiUserExceptionDispatcher 27607->27608 27609 6167eaf KiUserExceptionDispatcher 27608->27609 27611 6168249 27609->27611 27611->27476 27613 616813f 27612->27613 27614 616822a KiUserExceptionDispatcher 27613->27614 27615 6168249 27614->27615 27615->27476 27617 6167bb1 27616->27617 27618 6167e93 KiUserExceptionDispatcher 27617->27618 27619 6167eaf KiUserExceptionDispatcher 27618->27619 27621 6168249 27619->27621 27621->27476 27623 6167db1 27622->27623 27624 6167e93 KiUserExceptionDispatcher 27623->27624 27625 6167eaf KiUserExceptionDispatcher 27624->27625 27627 6168249 27625->27627 27627->27476 27629 6167c31 27628->27629 27630 6167e93 KiUserExceptionDispatcher 27629->27630 27631 6167eaf KiUserExceptionDispatcher 27630->27631 27633 6168249 27631->27633 27633->27476 27635 61680b5 27634->27635 27636 616822a KiUserExceptionDispatcher 27635->27636 27637 6168249 27636->27637 27637->27476 27639 61681cc 27638->27639 27640 616822a KiUserExceptionDispatcher 27639->27640 27641 6168249 27640->27641 27641->27476 27643 6167b40 KiUserExceptionDispatcher 27642->27643 27645 6167eaf KiUserExceptionDispatcher 27643->27645 27647 6168249 27645->27647 27647->27476 27649 6167f20 27648->27649 27650 616822a KiUserExceptionDispatcher 27649->27650 27651 6168249 27650->27651 27651->27476 27653 6168214 27652->27653 27654 616822a KiUserExceptionDispatcher 27653->27654 27655 6168249 27654->27655 27655->27476 27657 6167faa 27656->27657 27658 616822a KiUserExceptionDispatcher 27657->27658 27659 6168249 27658->27659 27659->27476 27661 616802b 27660->27661 27662 616822a KiUserExceptionDispatcher 27661->27662 27663 6168249 27662->27663 27663->27476 27665 6167d27 27664->27665 27666 6167e93 KiUserExceptionDispatcher 27665->27666 27667 6167eaf KiUserExceptionDispatcher 27666->27667 27669 6168249 27667->27669 27669->27476 27670 545add0 27671 545adee 27670->27671 27674 5459dc0 27671->27674 27673 545ae25 27676 545c8f0 LoadLibraryA 27674->27676 27677 545c9cc 27676->27677 27445 6166b50 27446 6166b9b MoveFileExW 27445->27446 27448 6166bef 27446->27448

                                                                                      Executed Functions

                                                                                      Function 06167B3A Relevance: 3.3, APIs: 2, Instructions: 343COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 6167b3a-61687ca KiUserExceptionDispatcher * 2 141 61687d0-616881f 0->141
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: cbdc761a81ff3ceea6af7237de58fb6d9bcc5d6552ced7f14758b8a0937b70b4
                                                                                      • Instruction ID: 8d411a58c05b37d81d0cc7fe3b31acdc5b93e6f07233e759544aa563936c4ad7
                                                                                      • Opcode Fuzzy Hash: cbdc761a81ff3ceea6af7237de58fb6d9bcc5d6552ced7f14758b8a0937b70b4
                                                                                      • Instruction Fuzzy Hash: E302CC38901358CFCBA5DF31D988699B7B2BF49306F2085E9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167B5B Relevance: 3.3, APIs: 2, Instructions: 343COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 77deb5f3877beacab718cc58ec611ffd524d83a7d6dc71dd9808f4a23c313f49
                                                                                      • Instruction ID: d3a59538ffe26710b75134456bfc092a7a81c8c8a2154d03e55c951d9e38b659
                                                                                      • Opcode Fuzzy Hash: 77deb5f3877beacab718cc58ec611ffd524d83a7d6dc71dd9808f4a23c313f49
                                                                                      • Instruction Fuzzy Hash: C802BA38901358CFCBA5DF31D988699B7B2BF49306F2085E9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167BA0 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: f5bb0e098887378ea28784a7be59fea5dd9fb8e5382ae0587e0a8c752629eaa7
                                                                                      • Instruction ID: 2a8581d43768be515e6c3b40054d3f938f4ab8955fb6fcca7c1eec1e7832c940
                                                                                      • Opcode Fuzzy Hash: f5bb0e098887378ea28784a7be59fea5dd9fb8e5382ae0587e0a8c752629eaa7
                                                                                      • Instruction Fuzzy Hash: FA02CB38901358CFCBA5DF31D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167BE5 Relevance: 3.3, APIs: 2, Instructions: 329COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: d4ef47e7703a2fcdf48fe53c8b5032cc01552f6cd768041385fcc106ea6f37a6
                                                                                      • Instruction ID: 40ef72fe7b24041dc189b338daa840df53e79b8afbf23a635d1ef83f625c41a3
                                                                                      • Opcode Fuzzy Hash: d4ef47e7703a2fcdf48fe53c8b5032cc01552f6cd768041385fcc106ea6f37a6
                                                                                      • Instruction Fuzzy Hash: 5002CB38901358CFCBA5DF31D988699B7B2BF49306F2085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167C20 Relevance: 3.3, APIs: 2, Instructions: 323COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: c3fa45af224700d9813174f099f538574c1545b4c0b7ec84adc9d91bfdc4017f
                                                                                      • Instruction ID: f8d39bd7c81e97d518ad5885f2ddc7deefedcd4d7dd7450a4339e52f6a065f52
                                                                                      • Opcode Fuzzy Hash: c3fa45af224700d9813174f099f538574c1545b4c0b7ec84adc9d91bfdc4017f
                                                                                      • Instruction Fuzzy Hash: 37F1DB38901358CFCBA5DF31D988699B7B2BF49306F2085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167C5B Relevance: 3.3, APIs: 2, Instructions: 317COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 5654b0407564b9cae41dd885b46d5acf997c4324381dd1359a0801ec71705b61
                                                                                      • Instruction ID: 06d05ce9bd7c99a9bfdd0b367db853dad203813567ce34576eb8127b518789e7
                                                                                      • Opcode Fuzzy Hash: 5654b0407564b9cae41dd885b46d5acf997c4324381dd1359a0801ec71705b61
                                                                                      • Instruction Fuzzy Hash: ECF1DB38901368CFCBA5DF31D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167C96 Relevance: 3.3, APIs: 2, Instructions: 311COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: fe51ef9da8edf8b54c5c8ccebec47b83ac51a11c5fc22c27687bd62590ff0899
                                                                                      • Instruction ID: 24a6409907208bef1c11caa6002dd8593e92e152f2195e209e0ca42100285098
                                                                                      • Opcode Fuzzy Hash: fe51ef9da8edf8b54c5c8ccebec47b83ac51a11c5fc22c27687bd62590ff0899
                                                                                      • Instruction Fuzzy Hash: 8AF1CA38901368CFCBA5DF31D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167CD1 Relevance: 3.3, APIs: 2, Instructions: 305COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: d4fbefa479199b3f6d25df06f6c6d4e6db9c9a0b986ce56a99cf2b0f299cae7c
                                                                                      • Instruction ID: 47c2f6d680214dc7043a48606fdb708f746a8a0d092e0596b73f140cf75f7416
                                                                                      • Opcode Fuzzy Hash: d4fbefa479199b3f6d25df06f6c6d4e6db9c9a0b986ce56a99cf2b0f299cae7c
                                                                                      • Instruction Fuzzy Hash: C7F1CA38901368CFCBA5DF31D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167D16 Relevance: 3.3, APIs: 2, Instructions: 298COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 025e65aabc47ce1cf20de38f3460663cca595a3e714c01c979e12371c3000ea1
                                                                                      • Instruction ID: 179ab79e47861c146e99b0b0adb8db62f18a44edaad7be30da9dd8127ee5b259
                                                                                      • Opcode Fuzzy Hash: 025e65aabc47ce1cf20de38f3460663cca595a3e714c01c979e12371c3000ea1
                                                                                      • Instruction Fuzzy Hash: 74F1CA38901368CFCBA5DF31D988699B7B2BF49306F2085D9D50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167D5B Relevance: 3.3, APIs: 2, Instructions: 291COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: c24563c0efdebe7a5e5d2865d42eee6df54b959ff0d494ed6e2d6e5e8dadc368
                                                                                      • Instruction ID: 5f8115549f96daf79c38c063ebd67fe03908529849cff4226a4b0a81c5649dc5
                                                                                      • Opcode Fuzzy Hash: c24563c0efdebe7a5e5d2865d42eee6df54b959ff0d494ed6e2d6e5e8dadc368
                                                                                      • Instruction Fuzzy Hash: 01E1DA38901368CFCBA5DF31D988699B7B2BF49306F1045D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167DA0 Relevance: 3.3, APIs: 2, Instructions: 284COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 34fc8e02eda9ce0a09143c613fd15cd4645bede8249376e9aece6e96a3c5c315
                                                                                      • Instruction ID: e1bd03dfb4c357d701e573f9fa0e4759e2ff12b0d8561290e44ae84e6578469b
                                                                                      • Opcode Fuzzy Hash: 34fc8e02eda9ce0a09143c613fd15cd4645bede8249376e9aece6e96a3c5c315
                                                                                      • Instruction Fuzzy Hash: C3E1DA38901368CFCBA5DF31D988699B7B2BF49306F1045D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167DE5 Relevance: 3.3, APIs: 2, Instructions: 277COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 8fc720e2cdb354f03fed20ae419abbed697b7c3de6b27ea24f1748fab431aafa
                                                                                      • Instruction ID: 2e47e52ecfec9282c7fc73951c85724a9288c4097126bf6744294cfda9aaf6eb
                                                                                      • Opcode Fuzzy Hash: 8fc720e2cdb354f03fed20ae419abbed697b7c3de6b27ea24f1748fab431aafa
                                                                                      • Instruction Fuzzy Hash: 22E1DA38901368CFCBA5DF31D988699B7B2BF49306F2085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167E2A Relevance: 3.3, APIs: 2, Instructions: 270COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 1262b31bbdd080c2f5667a39f2fb2595c3c1e80e7668bb4b966a38c53a956585
                                                                                      • Instruction ID: d29554ee51be7336dd431d3663adb9ffea56cfa8ac2a5a752a5eade425bb40df
                                                                                      • Opcode Fuzzy Hash: 1262b31bbdd080c2f5667a39f2fb2595c3c1e80e7668bb4b966a38c53a956585
                                                                                      • Instruction Fuzzy Hash: BFE1CA38901368CFCBA5DF31D988699B7B2BF49306F2085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167E6F Relevance: 3.3, APIs: 2, Instructions: 263COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 06167E93
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 2b2ae46a8855869a99a1b835389a1a992809095a200e2bca06dedd8bddb35be8
                                                                                      • Instruction ID: 4213fcae89d7335a33704ae8259ffc9cfbfd7e38f35f43fb8c746e483a49ba41
                                                                                      • Opcode Fuzzy Hash: 2b2ae46a8855869a99a1b835389a1a992809095a200e2bca06dedd8bddb35be8
                                                                                      • Instruction Fuzzy Hash: 26D1C938901368CFCBA5DF31D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF51
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167ECA Relevance: 1.8, APIs: 1, Instructions: 252COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1808 6167eca-61687ca call 6165a58 call 6165be8 KiUserExceptionDispatcher 1912 61687d0-616881f 1808->1912
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 058485bf959e71e82de13ab85f55ee2f6f4a67fdb88a43256188fa40f1881a97
                                                                                      • Instruction ID: 084f2fbbc4fd01af2d9ee6744e9c76b80ce634f4706b79772bbcffc6431416bb
                                                                                      • Opcode Fuzzy Hash: 058485bf959e71e82de13ab85f55ee2f6f4a67fdb88a43256188fa40f1881a97
                                                                                      • Instruction Fuzzy Hash: 67D1CA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167F0F Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: fac26ec68905fcfd88511db727248ab904dace99f682efbcedcf635fabd54e86
                                                                                      • Instruction ID: db0b4770b88a246cc9020fe4128d33f5aab4c55200bfb2da96f0218f1fe1f5b7
                                                                                      • Opcode Fuzzy Hash: fac26ec68905fcfd88511db727248ab904dace99f682efbcedcf635fabd54e86
                                                                                      • Instruction Fuzzy Hash: 5DD1CA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167F54 Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: ff4b0a876d8c4c486bd28b5d130da1ff91012ea760e9cf488d301fd184bd9487
                                                                                      • Instruction ID: 6023bd0af3367702794bb0dc4ee392cf7091fc50d77638ddbf05b386982f9798
                                                                                      • Opcode Fuzzy Hash: ff4b0a876d8c4c486bd28b5d130da1ff91012ea760e9cf488d301fd184bd9487
                                                                                      • Instruction Fuzzy Hash: E4C1DA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167F99 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: c18aa9017133cfc79278fad4c574e8576911f436ef38b38bbe0dae11373f49a3
                                                                                      • Instruction ID: 7ae14b3268d99cedb764869a2affa87f035bd2c426e46e1d5ce83a046c4bf712
                                                                                      • Opcode Fuzzy Hash: c18aa9017133cfc79278fad4c574e8576911f436ef38b38bbe0dae11373f49a3
                                                                                      • Instruction Fuzzy Hash: 56C1DA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06167FDE Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 602c7c59b221de3c1c160bbd4088d0b53307ce08366b925c0f7d0e1d0510cbd2
                                                                                      • Instruction ID: bdfabbaf97debfff1235fee89e2ee0e3db99a0e256123b37cf9b3664528b5e09
                                                                                      • Opcode Fuzzy Hash: 602c7c59b221de3c1c160bbd4088d0b53307ce08366b925c0f7d0e1d0510cbd2
                                                                                      • Instruction Fuzzy Hash: 6CB1DA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0616801A Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: a3e31a87a13d5c8478d0cbe7b8ee11c2ed409e47012b1aff525c1bbdf7590a1b
                                                                                      • Instruction ID: 27178135226f2677de5b7469f12c92917eb1957b31f682b131ce7ae9764c7b4b
                                                                                      • Opcode Fuzzy Hash: a3e31a87a13d5c8478d0cbe7b8ee11c2ed409e47012b1aff525c1bbdf7590a1b
                                                                                      • Instruction Fuzzy Hash: 62B1DA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0616805F Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 6cdd94cd5a4b14d62917cf82f681320d38a15162ea51e2b77a983ffa1a74bbb9
                                                                                      • Instruction ID: f9eb251748d308aaa05989cb8357ef98f36a0fb5dd84c43a427905b3f671dfa1
                                                                                      • Opcode Fuzzy Hash: 6cdd94cd5a4b14d62917cf82f681320d38a15162ea51e2b77a983ffa1a74bbb9
                                                                                      • Instruction Fuzzy Hash: 47B1EA38905368CFCBA5DF30D988699B7B2BF49306F1085E9E50AA2750CB359DC5CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 061680A4 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: 0095fa1053db07a1c8108c445f6f13e80ac9583fc853d1c4ac706c8e7e7705a7
                                                                                      • Instruction ID: ff81607134b8d4e92555147e86e7f7aca2581470b0fe92258034b868ef66d1b2
                                                                                      • Opcode Fuzzy Hash: 0095fa1053db07a1c8108c445f6f13e80ac9583fc853d1c4ac706c8e7e7705a7
                                                                                      • Instruction Fuzzy Hash: AAB1D938905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359DC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 061680E9 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: a5104e6eefb2db670d2ee873cf48d4750cf54601c5b3f07e48129093b91c8b21
                                                                                      • Instruction ID: 353d2b7db418ad987d3cd9a65b8e52a86b471844d845fc97ab65a453f8193d50
                                                                                      • Opcode Fuzzy Hash: a5104e6eefb2db670d2ee873cf48d4750cf54601c5b3f07e48129093b91c8b21
                                                                                      • Instruction Fuzzy Hash: 62A1EA38905368CFCBA5DF30D988699B7B2BF49306F1085E9E50AA2750CB359DC5CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0616812E Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: aee056c6ceeed0772b53315b751e2ca3d4402be07c8a3ea4341a180a4237a6c5
                                                                                      • Instruction ID: 24f96e19c4d81d156397ef2aac7dc038e89aa7fdb00988fb2734cdd158999b44
                                                                                      • Opcode Fuzzy Hash: aee056c6ceeed0772b53315b751e2ca3d4402be07c8a3ea4341a180a4237a6c5
                                                                                      • Instruction Fuzzy Hash: 1FA10A38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359DC5CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06168173 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: e37311516ddd8bb755bc5dedc40c54fcddf43cd9e37ef5a7f18b756c159e7048
                                                                                      • Instruction ID: 18898aeb2856f035f59eb18fc4a4f7b9ef158464490bd9efd9abc419594cab13
                                                                                      • Opcode Fuzzy Hash: e37311516ddd8bb755bc5dedc40c54fcddf43cd9e37ef5a7f18b756c159e7048
                                                                                      • Instruction Fuzzy Hash: 8691EB38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC5CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 061681BB Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: d20245d74640e95fcb8d6d81b95a0b838179aed8397c8a14d6eda004803025d6
                                                                                      • Instruction ID: fd6d822986d89f0a7662bba439747290e370e39dcaf6d174bdda3b79ef0c5a24
                                                                                      • Opcode Fuzzy Hash: d20245d74640e95fcb8d6d81b95a0b838179aed8397c8a14d6eda004803025d6
                                                                                      • Instruction Fuzzy Hash: FC91DB38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC6CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06168203 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • KiUserExceptionDispatcher.NTDLL ref: 0616822A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: DispatcherExceptionUser
                                                                                      • String ID:
                                                                                      • API String ID: 6842923-0
                                                                                      • Opcode ID: a26092d277efe69aed064d22c288c30c43b2b4b36c68bf8b0b4af3a5bb2c2998
                                                                                      • Instruction ID: a9c6f6c4a0423e25d1be121847367f9752b481345c7735d58f3e549aa7de3c6f
                                                                                      • Opcode Fuzzy Hash: a26092d277efe69aed064d22c288c30c43b2b4b36c68bf8b0b4af3a5bb2c2998
                                                                                      • Instruction Fuzzy Hash: 1491EA38905368CFCBA5DF30D988699B7B2BF49306F1085D9E50AA2750CB359EC5CF61
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0545C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 0545C9BA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508080877.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_5450000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: f3334619ef66e4daf6b078b5c99fef4be1f21fdf3e157dc1a8ddb366ca35717c
                                                                                      • Instruction ID: 8a0d91977064482b5073d5ed9f90e33a8ac8ad5ad4545b82cea121cf3c2fbd4f
                                                                                      • Opcode Fuzzy Hash: f3334619ef66e4daf6b078b5c99fef4be1f21fdf3e157dc1a8ddb366ca35717c
                                                                                      • Instruction Fuzzy Hash: 2E3143B1D043899FDB14CFA8D4857EEBBB1BB08324F14852AE856A7381D7789885CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05459DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 0545C9BA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508080877.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_5450000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: dadf12f09ad534d07767bf13cc33ed321164ff75d615c53aca5187ad01bec17e
                                                                                      • Instruction ID: 755fd87e745e27b4b0b905de069b7e19530d82bc77fc387f0eea05f7855237a2
                                                                                      • Opcode Fuzzy Hash: dadf12f09ad534d07767bf13cc33ed321164ff75d615c53aca5187ad01bec17e
                                                                                      • Instruction Fuzzy Hash: 723112B0D143499FDB14CFA8C8857DEBBB1BB08324F14852AE816B7381DB749885CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06166B34 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 06166BE0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileMove
                                                                                      • String ID:
                                                                                      • API String ID: 3562171763-0
                                                                                      • Opcode ID: 1b44a54dc7c746b98e11ab31a857476ebf7bbe7adf6e45687cf5e365598a1821
                                                                                      • Instruction ID: 4b1824497489b9b7a10e0a4fa68f07be9728beb8138076220d575df8dedd4ec0
                                                                                      • Opcode Fuzzy Hash: 1b44a54dc7c746b98e11ab31a857476ebf7bbe7adf6e45687cf5e365598a1821
                                                                                      • Instruction Fuzzy Hash: 302133B6D01259DFCB50CFA9D984ADEBBB0BF48710F15815AE818BB305C7349A04CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06166B50 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 06166BE0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508920258.0000000006160000.00000040.00000800.00020000.00000000.sdmp, Offset: 06160000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_6160000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileMove
                                                                                      • String ID:
                                                                                      • API String ID: 3562171763-0
                                                                                      • Opcode ID: f3b749175ee18e89b7959383113b9d32380c47d8c67de774875e6c741b9948f9
                                                                                      • Instruction ID: a3a8c9bb255666f36bfcd2668346c2fbdcb396bbdd9ce354e27c1c3cffe8edca
                                                                                      • Opcode Fuzzy Hash: f3b749175ee18e89b7959383113b9d32380c47d8c67de774875e6c741b9948f9
                                                                                      • Instruction Fuzzy Hash: 7B2110B6D01219DBCB50CF9AD984ADEBBB4FB48310F15805AE818BB204D735A944CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05454CB9 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 05454D42
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508080877.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_5450000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: bd00f726dcf2c57d4836e7a85de7dfdced08a0c378e1ac92b42f4b56cce99005
                                                                                      • Instruction ID: af85880971dc616829aaaa89a0df48e5713ce007b8bbc96b2c12c9e3fa219f52
                                                                                      • Opcode Fuzzy Hash: bd00f726dcf2c57d4836e7a85de7dfdced08a0c378e1ac92b42f4b56cce99005
                                                                                      • Instruction Fuzzy Hash: CA219D758113488FDB10DF95C8097DEBBF8FB44324F24882AE808A7601DB396588CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 05454CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 05454D42
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.508080877.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_5450000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: ec557d824488225dccaaa1e962b346f6068ed3c79cb70121201f811b30043c75
                                                                                      • Instruction ID: be7af178ddb82d06c7fdf2ba3002d26b227d20f576fafaa1bb0f5896db341a6e
                                                                                      • Opcode Fuzzy Hash: ec557d824488225dccaaa1e962b346f6068ed3c79cb70121201f811b30043c75
                                                                                      • Instruction Fuzzy Hash: 59118C759113498FDB10DF9AC5087DEBBF8FB44324F24882AE809A7601DB396488CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015CE16B Relevance: .4, Instructions: 352COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503808851.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15cd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b00c4597caf4809bde92b7d7fed43ec199134b0a2ac412adc0148b2ec27f153b
                                                                                      • Instruction ID: 1e4b40363b87ae517e8ad5d33a3dbd669db6a1c6c1218a664d84cb32f97c8613
                                                                                      • Opcode Fuzzy Hash: b00c4597caf4809bde92b7d7fed43ec199134b0a2ac412adc0148b2ec27f153b
                                                                                      • Instruction Fuzzy Hash: 6881767640E7C45FD7038B708CA66917FB1EF53224B1E81EBD884CB1A3D22D991AC722
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015BD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503700244.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15bd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6fe185c239177b4ec708b3d0e1958059a09c6584725d0f77598be9e944a402f7
                                                                                      • Instruction ID: 2ab0b9b58455283fa4fba5286b8ba796025eccd07c6fd0d5bf46218a49007d70
                                                                                      • Opcode Fuzzy Hash: 6fe185c239177b4ec708b3d0e1958059a09c6584725d0f77598be9e944a402f7
                                                                                      • Instruction Fuzzy Hash: 59210AB1504244DFDB05DF54D9C0BAABFB5FB8832CF248669E9054F286C33AD855CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015BD3EC Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503700244.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15bd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2b05c59fea4c64c99d18d5499a58f66564a75f0f455aeea6c232a0758344c6ac
                                                                                      • Instruction ID: a52cda36863e7694710235aa90daf4015307340991f66cfaebe28b79f051a488
                                                                                      • Opcode Fuzzy Hash: 2b05c59fea4c64c99d18d5499a58f66564a75f0f455aeea6c232a0758344c6ac
                                                                                      • Instruction Fuzzy Hash: 8121F4B1504244DFDB05DF54D9C0BAABBB5FB84328F24CA69E9094F206C37AE846C6A1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015CE3DC Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503808851.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15cd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5192c6c9670611793bbcc29a63c16051f47b364980feb6ca629f91dc4ef4d8f8
                                                                                      • Instruction ID: c4f57ffc74e0548cb50e70f6dcf9e67855757cb472d87ed0e7c66fcf0a7800e7
                                                                                      • Opcode Fuzzy Hash: 5192c6c9670611793bbcc29a63c16051f47b364980feb6ca629f91dc4ef4d8f8
                                                                                      • Instruction Fuzzy Hash: 782125B1504244DFDB01CF54D4C1B1AFFA5FB88624F24CA6DD9094F246C33AD846CAA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015BD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503700244.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15bd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                                      • Instruction ID: e39249a972026478bf9eab5054adff9d44207a8a91162432b8ebe1da3bdfed7c
                                                                                      • Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                                      • Instruction Fuzzy Hash: 3511B176904280CFDB12CF54D5C4B5ABF71FB84328F2486A9D8050F657C33AD45ACBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 015BD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000005.00000002.503700244.00000000015BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015BD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_5_2_15bd000_SWIFT,pdf.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                                      • Instruction ID: 6e9c7f2eba828f7c9151350f2da449cbb53d2339033a2204db625f1ce5699fc3
                                                                                      • Opcode Fuzzy Hash: 8c6ced9d0c9f6690be594cbf568882f55a05229423d0602ee79acece9868a76a
                                                                                      • Instruction Fuzzy Hash: 8811B176504284DFDB06CF54D5C4B9ABF72FB84324F28C6A9D8080B657C33AE45ACBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%