Edit tour

Windows Analysis Report
O06_SWIFT PAYMENT.exe

Overview

General Information

Sample name:	O06_SWIFT PAYMENT.exe
Analysis ID:	1580408
MD5:	472c1c23e9e15295bc2186cf3f5f2b77
SHA1:	c369d5f417651a2cf068d1c960451f214417528a
SHA256:	95e5f4aedd36c6d6a91df3e1504c518aa91fc548e2004c0f65f0af81a234dd0e
Tags:	exeuser-julianmckein
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

O06_SWIFT PAYMENT.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe" MD5: 472C1C23E9E15295BC2186CF3F5F2B77)

svchost.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", CommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", ParentImage: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe, ParentProcessId: 7524, ParentProcessName: O06_SWIFT PAYMENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", ProcessId: 7540, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", CommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", ParentImage: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe, ParentProcessId: 7524, ParentProcessName: O06_SWIFT PAYMENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe", ProcessId: 7540, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: O06_SWIFT PAYMENT.exe

ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: O06_SWIFT PAYMENT.exe

Joe Sandbox ML: detected

Source: O06_SWIFT PAYMENT.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1677925130.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, O06_SWIFT PAYMENT.exe, 00000000.00000003.1678281543.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2105407807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2107050634.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1677925130.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, O06_SWIFT PAYMENT.exe, 00000000.00000003.1678281543.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2437508377.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2105407807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2107050634.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.000000000379E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00694696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00694696
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069C93C FindFirstFileW,FindClose,	0_2_0069C93C
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0069C9C7
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F200
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F35D
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069F65E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00693A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693A2B
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00693D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693D4E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069BF27

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006A25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006A25E2

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006A425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006A425A

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006A4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006A4458

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

0_2_006A425A

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00690219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00690219

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006BCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006BCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00633B4C
Source: O06_SWIFT PAYMENT.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: O06_SWIFT PAYMENT.exe, 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4cd0641d-2
Source: O06_SWIFT PAYMENT.exe, 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_751e287b-4
Source: O06_SWIFT PAYMENT.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ff515113-3
Source: O06_SWIFT PAYMENT.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8f94597a-b

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: O06_SWIFT PAYMENT.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CB83 NtClose,	1_2_0042CB83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B60 NtClose,LdrInitializeThunk,	1_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,	1_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674340 NtSetContextThread,	1_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674650 NtSuspendThread,	1_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BE0 NtQueryValueKey,	1_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BF0 NtAllocateVirtualMemory,	1_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BA0 NtEnumerateValueKey,	1_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B80 NtQueryInformationFile,	1_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AF0 NtWriteFile,	1_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AD0 NtReadFile,	1_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AB0 NtWaitForSingleObject,	1_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F60 NtCreateProcessEx,	1_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F30 NtCreateSection,	1_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FE0 NtCreateFile,	1_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FA0 NtQuerySection,	1_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FB0 NtResumeThread,	1_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F90 NtProtectVirtualMemory,	1_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E30 NtWriteVirtualMemory,	1_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EE0 NtQueueApcThread,	1_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EA0 NtAdjustPrivilegesToken,	1_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E80 NtReadVirtualMemory,	1_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D30 NtUnmapViewOfSection,	1_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D00 NtSetInformationFile,	1_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D10 NtMapViewOfSection,	1_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DD0 NtDelayExecution,	1_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DB0 NtEnumerateKey,	1_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C60 NtCreateKey,	1_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C70 NtFreeVirtualMemory,	1_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C00 NtQueryInformationProcess,	1_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CF0 NtOpenProcess,	1_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CC0 NtQueryVirtualMemory,	1_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CA0 NtQueryInformationToken,	1_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673010 NtOpenDirectoryObject,	1_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673090 NtSetValueKey,	1_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036739B0 NtGetContextThread,	1_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D70 NtOpenThread,	1_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D10 NtOpenProcessToken,	1_2_03673D10

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00694021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00694021

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00688858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00688858

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0069545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0069545F

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065DBB5	0_2_0065DBB5
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0063E060	0_2_0063E060
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006B804A	0_2_006B804A
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00644140	0_2_00644140
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00652405	0_2_00652405
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00666522	0_2_00666522
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006B0665	0_2_006B0665
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0066267E	0_2_0066267E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00646843	0_2_00646843
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065283A	0_2_0065283A
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0063E800	0_2_0063E800
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006689DF	0_2_006689DF
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00648A0E	0_2_00648A0E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006B0AE2	0_2_006B0AE2
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00666A94	0_2_00666A94
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0068EB07	0_2_0068EB07
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00698B13	0_2_00698B13
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065CD61	0_2_0065CD61
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00667006	0_2_00667006
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0064710E	0_2_0064710E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00643190	0_2_00643190
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00631287	0_2_00631287
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006533C7	0_2_006533C7
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065F419	0_2_0065F419
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006516C4	0_2_006516C4
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00645680	0_2_00645680
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006458C0	0_2_006458C0
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006578D3	0_2_006578D3
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00651BB8	0_2_00651BB8
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00669D05	0_2_00669D05
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0063FE40	0_2_0063FE40
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065BFE6	0_2_0065BFE6
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00651FD0	0_2_00651FD0
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00CC3208	0_2_00CC3208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402140	1_2_00402140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040213D	1_2_0040213D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004101A3	1_2_004101A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F263	1_2_0042F263
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402A20	1_2_00402A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404287	1_2_00404287
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B43	1_2_00416B43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402328	1_2_00402328
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402330	1_2_00402330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416B3E	1_2_00416B3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004103C3	1_2_004103C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404385	1_2_00404385
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E3B3	1_2_0040E3B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E4F8	1_2_0040E4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E54C	1_2_0040E54C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E503	1_2_0040E503
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F60	1_2_00402F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037003E6	1_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C02C0	1_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630100	1_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F81CC	1_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F41A2	1_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037001AA	1_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664750	1_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C6E0	1_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03700591	1_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F2446	1_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4420	1_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EE4F6	1_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FAB40	1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F6BD7	1_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370A9A6	1_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364A840	1_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03642840	1_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E8F0	1_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036268B8	1_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4F40	1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03682F28	1_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660F30	1_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E2F30	1_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632FC8	1_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BEFA0	1_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640E59	1_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEE26	1_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEEDB	1_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652E90	1_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FCE93	1_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364AD00	1_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DCD1F	1_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363ADE0	1_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03658DBF	1_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640C00	1_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630CF2	1_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0CB5	1_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D34C	1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F132D	1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0368739A	1_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367516C	1_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B16B	1_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364B1B0	1_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F70E9	1_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF0E0	1_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF0CC	1_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF7B0	1_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03685630	1_2_03685630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F16CC	1_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7571	1_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037095C3	1_2_037095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DD5B0	1_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03631460	1_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF43F	1_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFB76	1_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B5BF0	1_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367DBF9	1_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FB80	1_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B3A6C	1_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFA49	1_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7A46	1_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EDAC6	1_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DDAAC	1_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03685AA0	1_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E1AA3	1_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649950	1_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B950	1_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D5910	1_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD800	1_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036438E0	1_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFF09	1_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03603FD2	1_2_03603FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03603FD5	1_2_03603FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFFB1	1_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641F92	1_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649EB0	1_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7D73	1_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643D40	1_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F1D5A	1_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FDC0	1_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B9C32	1_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFCF2	1_2_036FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 265 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 108 times
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: String function: 00650D27 appears 70 times
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: String function: 00637F41 appears 35 times
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: String function: 00658B40 appears 42 times

Source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1678903005.00000000037E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs O06_SWIFT PAYMENT.exe
Source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1677312147.000000000398D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs O06_SWIFT PAYMENT.exe

Source: O06_SWIFT PAYMENT.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0069A2D5 GetLastError,FormatMessageW,

0_2_0069A2D5

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00688713 AdjustTokenPrivileges,CloseHandle,		0_2_00688713
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00688CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00688CC3

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0069B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0069B59E

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006AF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006AF121

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0069C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0069C602

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00634FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00634FE9

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

File created: C:\Users\user\AppData\Local\Temp\autCB37.tmp

Jump to behavior

Source: O06_SWIFT PAYMENT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: O06_SWIFT PAYMENT.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"	Jump to behavior

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: O06_SWIFT PAYMENT.exe

Static file information: File size 1227264 > 1048576

Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: O06_SWIFT PAYMENT.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: O06_SWIFT PAYMENT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1677925130.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, O06_SWIFT PAYMENT.exe, 00000000.00000003.1678281543.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2105407807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2107050634.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.000000000379E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: O06_SWIFT PAYMENT.exe, 00000000.00000003.1677925130.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, O06_SWIFT PAYMENT.exe, 00000000.00000003.1678281543.0000000003860000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2437508377.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2105407807.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2107050634.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2437508377.000000000379E000.00000040.00001000.00020000.00000000.sdmp

Source: O06_SWIFT PAYMENT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: O06_SWIFT PAYMENT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: O06_SWIFT PAYMENT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: O06_SWIFT PAYMENT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: O06_SWIFT PAYMENT.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006AC304 LoadLibraryA,GetProcAddress,

0_2_006AC304

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0063C590 push eax; retn 0063h	0_2_0063C599
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00698719 push FFFFFF8Bh; iretd	0_2_0069871B
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065E94F push edi; ret	0_2_0065E951
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065EA68 push esi; ret	0_2_0065EA6A
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00658B85 push ecx; ret	0_2_00658B98
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065EC43 push esi; ret	0_2_0065EC45
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065ED2C push edi; ret	0_2_0065ED2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040500E pushad ; ret	1_2_0040500F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004031D0 push eax; ret	1_2_004031D2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417307 pushad ; iretd	1_2_0041730F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041EE05 push ecx; ret	1_2_0041EE06
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041B6DB push edi; iretd	1_2_0041B6DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041AE9D push ss; retf	1_2_0041AEAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401F21 push ss; retf	1_2_00401F29
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360225F pushad ; ret	1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036027FA pushad ; ret	1_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx	1_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360283D push eax; iretd	1_2_03602858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0360135F push eax; iretd	1_2_03601369

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00634A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00634A35
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006B55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006B55FD

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006533C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006533C7

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

API/Special instruction interceptor: Address: CC2E2C

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0367096E rdtsc

1_2_0367096E

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	API coverage: 4.3 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 7544

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00694696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00694696
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069C93C FindFirstFileW,FindClose,	0_2_0069C93C
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0069C9C7
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F200
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0069F35D
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069F65E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00693A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693A2B
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00693D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00693D4E
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0069BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0069BF27

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00634AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00634AFE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0367096E rdtsc

1_2_0367096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417AD3 LdrLoadDll,

1_2_00417AD3

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006A41FD BlockInput,

0_2_006A41FD

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00633B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633B4C

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00665CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00665CCC

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006AC304 LoadLibraryA,GetProcAddress,

0_2_006AC304

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00CC30F8 mov eax, dword ptr fs:[00000030h]	0_2_00CC30F8
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00CC3098 mov eax, dword ptr fs:[00000030h]	0_2_00CC3098
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_00CC1A78 mov eax, dword ptr fs:[00000030h]	0_2_00CC1A78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]	1_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]	1_2_036D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]	1_2_0370634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]	1_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]	1_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]	1_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]	1_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]	1_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]	1_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]	1_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]	1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]	1_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]	1_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]	1_2_0370625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]	1_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]	1_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]	1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]	1_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]	1_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]	1_2_037062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]	1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]	1_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]	1_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]	1_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]	1_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]	1_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]	1_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]	1_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]	1_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]	1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]	1_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]	1_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]	1_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]	1_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]	1_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]	1_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]	1_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]	1_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]	1_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]	1_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]	1_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]	1_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]	1_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]	1_2_036280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]	1_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]	1_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]	1_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]	1_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]	1_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]	1_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]	1_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]	1_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]	1_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]	1_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]	1_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]	1_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]	1_2_036E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]	1_2_036D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]	1_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]	1_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]	1_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]	1_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]	1_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]	1_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]	1_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]	1_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]	1_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]	1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]	1_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]	1_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]	1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]	1_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]	1_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]	1_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]	1_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	1_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]	1_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]	1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]	1_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]	1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]	1_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]	1_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	1_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]	1_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]	1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]	1_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]	1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]	1_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]	1_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]	1_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]	1_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]	1_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]	1_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]	1_2_036EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]	1_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]	1_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]	1_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]	1_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]	1_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A430 mov eax, dword ptr fs:[00000030h]	1_2_0366A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]	1_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]	1_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]	1_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]	1_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]	1_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]	1_2_036EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]	1_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]	1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]	1_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]	1_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]	1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]	1_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]	1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]	1_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]	1_2_03628B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]	1_2_036DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]	1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]	1_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]	1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]	1_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]	1_2_03704B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]	1_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]	1_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]	1_2_0365EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]	1_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]	1_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]	1_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]	1_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]	1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]	1_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	1_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]	1_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]	1_2_036DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]	1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]	1_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]	1_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]	1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]	1_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]	1_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]	1_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]	1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]	1_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366CA38 mov eax, dword ptr fs:[00000030h]	1_2_0366CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]	1_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]	1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]	1_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]	1_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]	1_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]	1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]	1_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]	1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]	1_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]	1_2_03686AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]	1_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]	1_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]	1_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]	1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]	1_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]	1_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]	1_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]	1_2_03704940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]	1_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]	1_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]	1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]	1_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]	1_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]	1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]	1_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]	1_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]	1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]	1_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]	1_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	1_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]	1_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]	1_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]	1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]	1_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]	1_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]	1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]	1_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]	1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]	1_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]	1_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]	1_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]	1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]	1_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]	1_2_03652835

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006881F7

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065A364 SetUnhandledExceptionFilter,		0_2_0065A364
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_0065A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0065A395

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A46008

Jump to behavior

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00688C93 LogonUserW,

0_2_00688C93

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00633B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00633B4C

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00634A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00634A35

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00694EF5 mouse_event,

0_2_00694EF5

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"

Jump to behavior

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

0_2_006881F7

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00694C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00694C03

Source: O06_SWIFT PAYMENT.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0065886B cpuid

0_2_0065886B

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_006650D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006650D7

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00672230 GetUserNameW,

0_2_00672230

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_0066418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0066418A

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe

Code function: 0_2_00634AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00634AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_81
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_XP
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_XPe
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_VISTA
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_7
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: WIN_8
Source: O06_SWIFT PAYMENT.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006A6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_006A6596
Source: C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe	Code function: 0_2_006A6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006A6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
O06_SWIFT PAYMENT.exe	42%	ReversingLabs	Win32.Trojan.AutoitInject
O06_SWIFT PAYMENT.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580408
Start date and time:	2024-12-24 13:38:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	O06_SWIFT PAYMENT.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 46 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: O06_SWIFT PAYMENT.exe

Process:	C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.99456783683309
Encrypted:	true
SSDEEP:	3072:KWSHkz/LFZ3UigmpQSrpf6sz94t+4OLLoQt41LZvb+WfPTTudxHmHhEKZ6reBtBk:2UaGpf6e94AfUQt41vjubShEed/f78nN
MD5:	6B1316E859CFCED61D7896F553ADAC9C
SHA1:	3B98BB19AC39AF4CCE8874A875B0C24CCD47C42D
SHA-256:	3E7A4488BFA886CE43B1C907D0409AB21DD94AB578CA6BAD3F378B6681F9C24D
SHA-512:	AF15E6307B3A57B4CFB76333B95A1A2992F0CA7BEF59B49CE490A1A596EE4C50DB40B6BEEB4A2EF31980AF135A5BD8411BA78ECA987B10BDE0874766A3FA9D42
Malicious:	false
Reputation:	low
Preview:	...9JQPY]YSD..F8.KNEEAW9.QPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNE.AW9GN.WY.Z.h.Gt.j.-,2wI;>7+84s'( (W=k, e3"Wi8>y...d$!"]gFCOaAW9IQPY XZ.t.!.t+).x!0.S...c94.S...u+)._...u17..00,t.!.IKNEEAW9..PY.XRDdW.fIKNEEAW9.QRXRXXDI.B8IKNEEAW9.BPYYISDI>B8IK.EEQW9ISPY_YSDINF8OKNEEAW9I!TYY[SDINF8KK..EAG9IAPYYYCDI^F8IKNEUAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDg:#@=KNE..S9IAPYY.WDI^F8IKNEEAW9IQPYyYS$INF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNE

C:\Users\user\AppData\Local\Temp\uppishly

Download File

Process:	C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.99456783683309
Encrypted:	true
SSDEEP:	3072:KWSHkz/LFZ3UigmpQSrpf6sz94t+4OLLoQt41LZvb+WfPTTudxHmHhEKZ6reBtBk:2UaGpf6e94AfUQt41vjubShEed/f78nN
MD5:	6B1316E859CFCED61D7896F553ADAC9C
SHA1:	3B98BB19AC39AF4CCE8874A875B0C24CCD47C42D
SHA-256:	3E7A4488BFA886CE43B1C907D0409AB21DD94AB578CA6BAD3F378B6681F9C24D
SHA-512:	AF15E6307B3A57B4CFB76333B95A1A2992F0CA7BEF59B49CE490A1A596EE4C50DB40B6BEEB4A2EF31980AF135A5BD8411BA78ECA987B10BDE0874766A3FA9D42
Malicious:	false
Reputation:	low
Preview:	...9JQPY]YSD..F8.KNEEAW9.QPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNE.AW9GN.WY.Z.h.Gt.j.-,2wI;>7+84s'( (W=k, e3"Wi8>y...d$!"]gFCOaAW9IQPY XZ.t.!.t+).x!0.S...c94.S...u+)._...u17..00,t.!.IKNEEAW9..PY.XRDdW.fIKNEEAW9.QRXRXXDI.B8IKNEEAW9.BPYYISDI>B8IK.EEQW9ISPY_YSDINF8OKNEEAW9I!TYY[SDINF8KK..EAG9IAPYYYCDI^F8IKNEUAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDg:#@=KNE..S9IAPYY.WDI^F8IKNEEAW9IQPYyYS$INF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNEEAW9IQPYYYSDINF8IKNE

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.18269702890066
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	O06_SWIFT PAYMENT.exe
File size:	1'227'264 bytes
MD5:	472c1c23e9e15295bc2186cf3f5f2b77
SHA1:	c369d5f417651a2cf068d1c960451f214417528a
SHA256:	95e5f4aedd36c6d6a91df3e1504c518aa91fc548e2004c0f65f0af81a234dd0e
SHA512:	f823df905b9b617c2c8da53ff983bbdab85f3559c40fd352673deb1aaddeb8ebf967850db9a5f43fe0c4a44ca98050f958e994f6b5f9437247c7cfc8c7f5da8d
SSDEEP:	24576:jAHnh+eWsN3skA4RV1Hom2KXMmHarFL2F+O5i6G2209qIyO5:uh+ZkldoPK8YarMFH6t+
TLSH:	3545BE02B3D1C036FFAB92739B6AF60556BD79254123852F13982DB9BC701B2273D663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x676A4EBF [Tue Dec 24 06:03:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F0A70BA6A6Dh
jmp 00007F0A70B99824h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F0A70B999AAh
cmp edi, eax
jc 00007F0A70B99D0Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F0A70B999A9h
rep movsb
jmp 00007F0A70B99CBCh
cmp ecx, 00000080h
jc 00007F0A70B99B74h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F0A70B999B0h
bt dword ptr [004BF324h], 01h
jc 00007F0A70B99E80h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F0A70B99B4Dh
test edi, 00000003h
jne 00007F0A70B99B5Eh
test esi, 00000003h
jne 00007F0A70B99B3Dh
bt edi, 02h
jnc 00007F0A70B999AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F0A70B999B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F0A70B99A05h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x6132c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12a000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x6132c	0x61400	f3b8f69f0768d090a41ea90e21a82640	False	0.9325343428663239	data	7.904289800567862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12a000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x585f3	data			1.0003342809230573
RT_GROUP_ICON	0x128dac	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x128e24	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x128e38	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x128e4c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x128e60	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x128f3c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	07:39:30
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"
Imagebase:	0x630000
File size:	1'227'264 bytes
MD5 hash:	472C1C23E9E15295BC2186CF3F5F2B77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:39:31
Start date:	24/12/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\O06_SWIFT PAYMENT.exe"
Imagebase:	0x1b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2435665627.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2437465832.0000000003440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	149

Executed Functions

Function 00633B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00633B7A
IsDebuggerPresent.KERNEL32 ref: 00633B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,006F62F8,006F62E0,?,?), ref: 00633BFD

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Part of subcall function 00640A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00633C26,006F62F8,?,?,?), ref: 00640ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00633C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006E93F0,00000010), ref: 0066D4BC
SetCurrentDirectoryW.KERNEL32(?,006F62F8,?,?,?), ref: 0066D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006E5D40,006F62F8,?,?,?), ref: 0066D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0066D581

Part of subcall function 00633A58: GetSysColorBrush.USER32(0000000F), ref: 00633A62
Part of subcall function 00633A58: LoadCursorW.USER32(00000000,00007F00), ref: 00633A71
Part of subcall function 00633A58: LoadIconW.USER32(00000063), ref: 00633A88
Part of subcall function 00633A58: LoadIconW.USER32(000000A4), ref: 00633A9A
Part of subcall function 00633A58: LoadIconW.USER32(000000A2), ref: 00633AAC
Part of subcall function 00633A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00633AD2
Part of subcall function 00633A58: RegisterClassExW.USER32(?), ref: 00633B28

Part of subcall function 006339E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00633A15
Part of subcall function 006339E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00633A36
Part of subcall function 006339E7: ShowWindow.USER32(00000000,?,?), ref: 00633A4A
Part of subcall function 006339E7: ShowWindow.USER32(00000000,?,?), ref: 00633A53

Part of subcall function 006343DB: _memset.LIBCMT ref: 00634401
Part of subcall function 006343DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006344A6

Strings

runas, xrefs: 0066D575
This is a third-party compiled AutoIt script., xrefs: 0066D4B4
%l, xrefs: 00633C56

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%l
API String ID: 529118366-3964005766
Opcode ID: 6bb4c1551a6621430aa9a79ac01e8b4da8dcb6a5cb55d7fd9d55df044ee07d4d
Instruction ID: b6370c6802fbc37f6ad4bfd0367480db547cd445d07d78d9f02209ece8c9feca
Opcode Fuzzy Hash: 6bb4c1551a6621430aa9a79ac01e8b4da8dcb6a5cb55d7fd9d55df044ee07d4d
Instruction Fuzzy Hash: A1513870E08248AEDF21EBB4DC05EFD7BBBAF14304F00516DF411A22A2DA705B46DBA5

Function 00634FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00634EEE,?,?,00000000,00000000), ref: 00634FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00634EEE,?,?,00000000,00000000), ref: 00635010
LoadResource.KERNEL32(?,00000000,?,?,00634EEE,?,?,00000000,00000000,?,?,?,?,?,?,00634F8F), ref: 0066DD60
SizeofResource.KERNEL32(?,00000000,?,?,00634EEE,?,?,00000000,00000000,?,?,?,?,?,?,00634F8F), ref: 0066DD75
LockResource.KERNEL32(Nc,?,?,00634EEE,?,?,00000000,00000000,?,?,?,?,?,?,00634F8F,00000000), ref: 0066DD88

Strings

SCRIPT, xrefs: 00635006
Nc, xrefs: 0066DD85

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Nc
API String ID: 3051347437-916036350
Opcode ID: d0d317c43e9d6c2c705f0ebe5e2566fc8ae931aca75ae79e55cfdad62e3c3149
Instruction ID: 88918245bfe4a8afd5fe164e13d0a4f564d34c28b5ec2773a852adb6d163e366
Opcode Fuzzy Hash: d0d317c43e9d6c2c705f0ebe5e2566fc8ae931aca75ae79e55cfdad62e3c3149
Instruction Fuzzy Hash: 70115AB5200700AFD7258B69DC58F677BBAEBC9B11F204268F506D6260DB72E84086A0

Function 00634AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00634B2B

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

GetCurrentProcess.KERNEL32(?,006BFAEC,00000000,00000000,?), ref: 00634BF8
IsWow64Process.KERNEL32(00000000), ref: 00634BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00634C45
FreeLibrary.KERNEL32(00000000), ref: 00634C50
GetSystemInfo.KERNEL32(00000000), ref: 00634C81
GetSystemInfo.KERNEL32(00000000), ref: 00634C8D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 81433a2211162fbca28a080ac677de0e38b38788f6aac604c47239a709524e5c
Instruction ID: 7ff6848f32bc8a4602e647b30674d6f8be42fd72fb1940877727f1a476fbcb8b
Opcode Fuzzy Hash: 81433a2211162fbca28a080ac677de0e38b38788f6aac604c47239a709524e5c
Instruction Fuzzy Hash: 2991C47194A7C4DEC731CB6884515AAFFE6AF2A300F484E9DD0CB97B41D620F948C799

Function 00694696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0066E7C1), ref: 006946A6
FindFirstFileW.KERNELBASE(?,?), ref: 006946B7
FindClose.KERNEL32(00000000), ref: 006946C7

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: bf21f3d29c4eb33c75e7f0f830028dc2df7e420aea3783765aa5dad759b18365
Instruction ID: f3dcf8ccb8e3f1f1b047b280c71484e852882064e0ce78e8ee5332688ff624a0
Opcode Fuzzy Hash: bf21f3d29c4eb33c75e7f0f830028dc2df7e420aea3783765aa5dad759b18365
Instruction Fuzzy Hash: 6DE0D8B14104005B4B106778EC5D8EA779E9E06335F100716F935C15F0EBB05D9185D5

Function 00640B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00640BBB
timeGetTime.WINMM ref: 00640E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00640FB3
TranslateMessage.USER32(?), ref: 00640FC7
DispatchMessageW.USER32(?), ref: 00640FD5
Sleep.KERNEL32(0000000A), ref: 00640FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0064105A
DestroyWindow.USER32 ref: 00641066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00641080
Sleep.KERNEL32(0000000A,?,?), ref: 006752AD
TranslateMessage.USER32(?), ref: 0067608A
DispatchMessageW.USER32(?), ref: 00676098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006760AC

Strings

@TRAY_ID, xrefs: 00675BB9
pro, xrefs: 00675383
@GUI_WINHANDLE, xrefs: 006753B9
@GUI_CTRLID, xrefs: 00675364
pro, xrefs: 006753D8
@GUI_CTRLHANDLE, xrefs: 0067540E
pro, xrefs: 0067542D
pro, xrefs: 00675BDE
@COM_EVENTOBJ, xrefs: 0067591A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pro$pro$pro$pro
API String ID: 4003667617-3645740969
Opcode ID: 7b8c9f8e400f956a57021f952046a250c1bc6bc0605c5840636d58ae1b98a71d
Instruction ID: a542f8587f64cde76bbfc552f8f0e9974ee5fb1c4f528271d1dc50619c457795
Opcode Fuzzy Hash: 7b8c9f8e400f956a57021f952046a250c1bc6bc0605c5840636d58ae1b98a71d
Instruction Fuzzy Hash: BDB2C170608741DFD764DF24C884BAAB7E7BF84304F14895DF58A872A1DBB1E885CB86

Function 006993DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006991E9: __time64.LIBCMT ref: 006991F3

Part of subcall function 00635045: _fseek.LIBCMT ref: 0063505D

__wsplitpath.LIBCMT ref: 006994BE

Part of subcall function 0065432E: __wsplitpath_helper.LIBCMT ref: 0065436E

_wcscpy.LIBCMT ref: 006994D1
_wcscat.LIBCMT ref: 006994E4
__wsplitpath.LIBCMT ref: 00699509
_wcscat.LIBCMT ref: 0069951F
_wcscat.LIBCMT ref: 00699532

Part of subcall function 0069922F: _memmove.LIBCMT ref: 00699268
Part of subcall function 0069922F: _memmove.LIBCMT ref: 00699277

_wcscmp.LIBCMT ref: 00699479

Part of subcall function 006999BE: _wcscmp.LIBCMT ref: 00699AAE
Part of subcall function 006999BE: _wcscmp.LIBCMT ref: 00699AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006996DC
_wcsncpy.LIBCMT ref: 0069974F
DeleteFileW.KERNEL32(?,?), ref: 00699785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0069979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006997AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006997BE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: fca27d67f6a70a2a73c7f55f82747a8290a10e72070da0a60128bcf9ff33b16b
Instruction ID: 3f1d7bd038ef0d4d5a3f0f1322a5691b2b28809c87026f23939b67eac71f0ef1
Opcode Fuzzy Hash: fca27d67f6a70a2a73c7f55f82747a8290a10e72070da0a60128bcf9ff33b16b
Instruction Fuzzy Hash: 01C12DB1D00229AADF61DF95CC85ADEB7BEEF45300F0040AAF609E7151DB319A858FA5

Function 00633015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00633074
RegisterClassExW.USER32(00000030), ref: 0063309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006330AF
InitCommonControlsEx.COMCTL32(?), ref: 006330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006330DC
LoadIconW.USER32(000000A9), ref: 006330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00633101

Strings

+, xrefs: 0063305D
AutoIt v3 GUI, xrefs: 00633090
0, xrefs: 00633056
TaskbarCreated, xrefs: 006330A4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f39fbd9055c8150a7cfa078ed4664f74d0822044a5eb26742d4e82a8e04a007d
Instruction ID: 88226c971bcd4642f1bbbf1f051d870e9053e8f428331634ad3140ea0e57d837
Opcode Fuzzy Hash: f39fbd9055c8150a7cfa078ed4664f74d0822044a5eb26742d4e82a8e04a007d
Instruction Fuzzy Hash: D53147B1941308AFDB108FA4EC88AD9BBF6FB09310F10566EF591A62A0D7B64581CF90

Function 00633041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00633074
RegisterClassExW.USER32(00000030), ref: 0063309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006330AF
InitCommonControlsEx.COMCTL32(?), ref: 006330CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006330DC
LoadIconW.USER32(000000A9), ref: 006330F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00633101

Strings

+, xrefs: 0063305D
AutoIt v3 GUI, xrefs: 00633090
0, xrefs: 00633056
TaskbarCreated, xrefs: 006330A4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cbdfda7326a4f0b62f9239067c64c847d01988df0e09e5ac8776918460e33322
Instruction ID: 2519c5e99143135b7b84e132b00186eedbebaf62f525f27ec94a6d923eeb06af
Opcode Fuzzy Hash: cbdfda7326a4f0b62f9239067c64c847d01988df0e09e5ac8776918460e33322
Instruction Fuzzy Hash: 0721C9B1911218AFDB00DF94EC49BDDBBF6FB09750F10622AF511A62A0D7B14584CFA1

Function 006371EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00634864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006F62F8,?,006337C0,?), ref: 00634882

Part of subcall function 0065074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006372C5), ref: 00650771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00637308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0066ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0066ED32
RegCloseKey.ADVAPI32(?), ref: 0066ED70
_wcscat.LIBCMT ref: 0066EDC9

Strings

Include, xrefs: 0066ECE8, 0066ED29
\, xrefs: 0066EDEC
\Include\, xrefs: 006372C5
Software\AutoIt v3\AutoIt, xrefs: 006372FE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: e2c534b03567c4d487f8926b8e616ded6da8d59ece0cb2d460e0a58c9c03b4d2
Instruction ID: e48bcc68837d11e9caa1675bec9fc0179dc5a2e50445361d50f6ccaa2a12e69e
Opcode Fuzzy Hash: e2c534b03567c4d487f8926b8e616ded6da8d59ece0cb2d460e0a58c9c03b4d2
Instruction Fuzzy Hash: 36716EB14083019EC354EF29EC819ABBBFAFF55750F40152EF445972B0EB319A48CB96

Function 00633633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006336D2
KillTimer.USER32(?,00000001), ref: 006336FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0063371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0063372A
CreatePopupMenu.USER32 ref: 0063373E
PostQuitMessage.USER32(00000000), ref: 0063375F

Strings

TaskbarCreated, xrefs: 00633725
%l, xrefs: 0066D2D1, 0066D31F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%l
API String ID: 129472671-205000773
Opcode ID: 756ac5cc49ac4aed92705d24d2234a2205503d34af4ba455283c4c46daf5c5a6
Instruction ID: c5c6fb205b33895f23cc259a707f8736217d064e69d6b2d453d2efa9f5cc0377
Opcode Fuzzy Hash: 756ac5cc49ac4aed92705d24d2234a2205503d34af4ba455283c4c46daf5c5a6
Instruction Fuzzy Hash: 6A41F5B2A04115BBDF145F38EC1ABB93767EB02340F14122DF602963B1DEA1AE41D7E9

Function 00633A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00633A62
LoadCursorW.USER32(00000000,00007F00), ref: 00633A71
LoadIconW.USER32(00000063), ref: 00633A88
LoadIconW.USER32(000000A4), ref: 00633A9A
LoadIconW.USER32(000000A2), ref: 00633AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00633AD2
RegisterClassExW.USER32(?), ref: 00633B28

Part of subcall function 00633041: GetSysColorBrush.USER32(0000000F), ref: 00633074
Part of subcall function 00633041: RegisterClassExW.USER32(00000030), ref: 0063309E
Part of subcall function 00633041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006330AF
Part of subcall function 00633041: InitCommonControlsEx.COMCTL32(?), ref: 006330CC
Part of subcall function 00633041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006330DC
Part of subcall function 00633041: LoadIconW.USER32(000000A9), ref: 006330F2
Part of subcall function 00633041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00633101

Strings

0, xrefs: 00633B06
AutoIt v3, xrefs: 00633B17
#, xrefs: 00633B0D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d69bcac24e069e8c5624291594c81aec39e6f42e22447194472ca9e911c608a4
Instruction ID: 7f1a588234eadc78a10548cb656f9a6b16691ad1dbfa5e57771a516964721afe
Opcode Fuzzy Hash: d69bcac24e069e8c5624291594c81aec39e6f42e22447194472ca9e911c608a4
Instruction Fuzzy Hash: 50212BB1D00304AFEB109FA4EC09BAD7FB6FB08721F10516AF505A62B0D7B69654CF94

Function 00633778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bo, xrefs: 0066D44E
/AutoIt3OutputDebug, xrefs: 006338A4
/AutoIt3ExecuteScript, xrefs: 006338CE
/AutoIt3ExecuteLine, xrefs: 006338B9
CMDLINE, xrefs: 00633834
/ErrorStdOut, xrefs: 0063388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006337C0
CMDLINERAW, xrefs: 0063380D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bo
API String ID: 1825951767-2543285686
Opcode ID: 6dddb018b1f56f3f6324f571e9671ff11f08dd04418d102e9ebc4cc043c70cb9
Instruction ID: 353a4b89afcbc3288d0785a9157db9a9ca2c939cda82172d9dc3d7e8fdb04be0
Opcode Fuzzy Hash: 6dddb018b1f56f3f6324f571e9671ff11f08dd04418d102e9ebc4cc043c70cb9
Instruction Fuzzy Hash: F9A12071D1022D9ADB54EFA4CC91AEEB77ABF14300F44052EF416B7291DF746A09CBA4

Function 0063F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006503A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006503D3
Part of subcall function 006503A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006503DB
Part of subcall function 006503A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006503E6
Part of subcall function 006503A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006503F1
Part of subcall function 006503A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006503F9
Part of subcall function 006503A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00650401

Part of subcall function 00646259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0063FA90), ref: 006462B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0063FB2D
OleInitialize.OLE32(00000000), ref: 0063FBAA
CloseHandle.KERNEL32(00000000), ref: 006749F2

Strings

co, xrefs: 0063F94B
%l, xrefs: 0063F8F6, 0063F908, 0063FACE, 0063FBB1
<go, xrefs: 0063FA90
\do, xrefs: 0063F957

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <go$\do$%l$co
API String ID: 1986988660-2974428603
Opcode ID: 51712c7e8f499054e5e748a7c0886d2efaee992c6893d5bd59faedc05c5494c2
Instruction ID: a075675e472727f48c61ddf388661f33b2418be119d2a278c4919133c16e23dc
Opcode Fuzzy Hash: 51712c7e8f499054e5e748a7c0886d2efaee992c6893d5bd59faedc05c5494c2
Instruction Fuzzy Hash: 1681A4B19042408EC794EF2AED556757AF7FB99308B10A13EB419C7272EB718809CF95

Function 00CC21E8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CC22B9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CC24DF

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: 91056711166a02c949cd54cb855b626c25195eb6d9a895f178b5b3fec083afd4
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: C6A1F674E00209EBDB18CFA4C895FEEBBB5BF48304F208159E515BB280D7799A81DB95

Function 006339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00633A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00633A36
ShowWindow.USER32(00000000,?,?), ref: 00633A4A
ShowWindow.USER32(00000000,?,?), ref: 00633A53

Strings

edit, xrefs: 00633A30
AutoIt v3, xrefs: 00633A0D, 00633A12, 00633A13

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a8e8c82e6bc28c8ea49a97fec548a1faae4cf630baf22b2db83913021024c0bd
Instruction ID: 96e134f075ad417c9dc4de4eca5a4dd7b36a4b4df6f41ad2feb3c46759a42640
Opcode Fuzzy Hash: a8e8c82e6bc28c8ea49a97fec548a1faae4cf630baf22b2db83913021024c0bd
Instruction Fuzzy Hash: 99F0DAB1641290BEEB311B2BAC4DE773E7FD7C6F50B11512AB904A2170C6A61951DAB0

Function 00CC1FB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CC1EA8: Sleep.KERNELBASE(000001F4), ref: 00CC1EB9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CC20E0

Strings

EAW9IQPYYYSDINF8IKNE, xrefs: 00CC2143, 00CC2146

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateFileSleep
String ID: EAW9IQPYYYSDINF8IKNE
API String ID: 2694422964-539966690
Opcode ID: add631108dceba37cdd0dc1ed550e9317e6585a80869a6d88bde67ea0d4016cd
Instruction ID: e28891bf7d50a29134d6c5a71cb343d1486a24c6dcedb0281b90d2a95b4cabf0
Opcode Fuzzy Hash: add631108dceba37cdd0dc1ed550e9317e6585a80869a6d88bde67ea0d4016cd
Instruction Fuzzy Hash: 1C519E71D04248EBEF11DBE4C859BEEBBB8AF15304F04419DE608BB2C1D6B90B44CB65

Function 0063410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0066D5EC

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

_memset.LIBCMT ref: 0063418D
_wcscpy.LIBCMT ref: 006341E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006341F1

Strings

Line: , xrefs: 0066D615

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 547e96639d86a2aec3a17ee98d89ca7ad6db6597514361d0d5399c6bdaca8183
Instruction ID: d0e3bc6d6e5874650609dcde57310d91b59d726a81f72d15fa91c63288d11229
Opcode Fuzzy Hash: 547e96639d86a2aec3a17ee98d89ca7ad6db6597514361d0d5399c6bdaca8183
Instruction Fuzzy Hash: 0531B1B1408304AED771EB60DC46BEBB7EAAF44304F10451EF585921A1EF74A748CBDA

Function 006369CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00634F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00634F6F

_free.LIBCMT ref: 0066E68C
_free.LIBCMT ref: 0066E6D3

Part of subcall function 00636BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00636D0D

Strings

Bad directive syntax error, xrefs: 0066E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0066E462

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5badeff3fcbb806bcaf2bba7e9727fe9b455cfcadfbddfc937aaa9d812a50fcc
Instruction ID: 9d179d328ef7ef3a1c370a25e8ff24a70bb2b8afe41db989ee6857069aba0ecd
Opcode Fuzzy Hash: 5badeff3fcbb806bcaf2bba7e9727fe9b455cfcadfbddfc937aaa9d812a50fcc
Instruction Fuzzy Hash: 4F91AD71910219AFCF04EFA4CC919EDB7BAFF15314F14442DF812AB2A1EB31A905CBA4

Function 006335B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006335A1,SwapMouseButtons,00000004,?), ref: 006335D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006335A1,SwapMouseButtons,00000004,?,?,?,?,00632754), ref: 006335F5
RegCloseKey.KERNELBASE(00000000,?,?,006335A1,SwapMouseButtons,00000004,?,?,?,?,00632754), ref: 00633617

Strings

Control Panel\Mouse, xrefs: 006335D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 646db82cea17b8b6f6a1dccb49cc14f1f5a1240e850f65999e344200b09df41c
Instruction ID: b7dbcbfe3c61352452bb91e4c1e5fb4078c729bd5f40d1b5aa92473eefc97c06
Opcode Fuzzy Hash: 646db82cea17b8b6f6a1dccb49cc14f1f5a1240e850f65999e344200b09df41c
Instruction Fuzzy Hash: A91148B1910228BFDB209F64DC419EEB7BEEF05740F005569F805D7320D2719F4097A0

Function 00CC0EA8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CC1663
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CC16F9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CC171B

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 8b12133a44fa6534826fff9c78975b5935cd696c41713844b58615d254a0710a
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: 2E622B30A14218DBEB24CFA5C850BDEB372EF58300F1491A9E51DEB391E7799E81CB59

Function 006997E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00635045: _fseek.LIBCMT ref: 0063505D

Part of subcall function 006999BE: _wcscmp.LIBCMT ref: 00699AAE
Part of subcall function 006999BE: _wcscmp.LIBCMT ref: 00699AC1

_free.LIBCMT ref: 0069992C
_free.LIBCMT ref: 00699933
_free.LIBCMT ref: 0069999E

Part of subcall function 00652F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00659C64), ref: 00652FA9
Part of subcall function 00652F95: GetLastError.KERNEL32(00000000,?,00659C64), ref: 00652FBB

_free.LIBCMT ref: 006999A6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 31b14de837877638393988194c008da8b72128a246311ab5fe8eaea135228eee
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: E65150B1D04218AFDF649F64DC45A9EBB7AEF48310F1404AEB609A7241DB715E90CF68

Function 0065493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006549D0
__flush.LIBCMT ref: 006549F0
__write.LIBCMT ref: 00654A23
__flsbuf.LIBCMT ref: 00654A51

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: e686eeae437ec94fba4c230da1a7bbd3a04523237c044cc7e316bf0fefc4a5eb
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 6441E5346006069BDB688E69C8819AF77A7EF8036AF2481ADEC5587784DF709DC98744

Function 00634DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00634E1A

Strings

AU3!P/l, xrefs: 00634E14
EA06, xrefs: 0066DCF5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/l$EA06
API String ID: 4104443479-629076873
Opcode ID: 0b8872406236711e48f75ebe47b5f9ab4b67c56d616b13d77218ee101ac65a66
Instruction ID: 8ca22d9fad1dc15775c6d8c1a2dc6ef9508ddd7938bd871aa124e56d43ff06bd
Opcode Fuzzy Hash: 0b8872406236711e48f75ebe47b5f9ab4b67c56d616b13d77218ee101ac65a66
Instruction Fuzzy Hash: 88414C61A042585BDF255B64C8517FEFFA7EF45300F684069EC829B382DE21AD8587E1

Function 006373E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066EE62
GetOpenFileNameW.COMDLG32(?), ref: 0066EEAC

Part of subcall function 006348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006348A1,?,?,006337C0,?), ref: 006348CE

Part of subcall function 006509D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006509F4

Strings

X, xrefs: 0066EE7A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: aa17a43c5f4e6bc6c8fc15a44aad88d20c9fd2e9463cff4ec90287bb85d70de6
Instruction ID: df24710f0a8495deb9f6932c830f46dde471c45335bcf331b265a2914bbe8acc
Opcode Fuzzy Hash: aa17a43c5f4e6bc6c8fc15a44aad88d20c9fd2e9463cff4ec90287bb85d70de6
Instruction Fuzzy Hash: 2821F6719002989BCB51DF94CC057EE7BFA9F49300F04401AF408E7282DBB459898FA5

Function 00699B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00699B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00699B99

Strings

aut, xrefs: 00699B93

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 7708621dca9ac23be90d54b2ceb272c5a7b0ae92e689c69f2b1cadd240343aee
Instruction ID: 177a9485bacdc8b70c44e937371ccca661a35ea3934e21dbc0418559d96f295d
Opcode Fuzzy Hash: 7708621dca9ac23be90d54b2ceb272c5a7b0ae92e689c69f2b1cadd240343aee
Instruction Fuzzy Hash: F0D05EB954030DABDB209BD4DC0EF9A776DEB04700F0052A1BF54911A1DEB066D88B91

Function 006ACDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4a75e96b3f4429ed8487facc5368577061753458d594e51ee9f02d39b862b6
Instruction ID: 1e31d15ad5442c4982559ca3d27d6c9718599601153068508ca555b71f43672b
Opcode Fuzzy Hash: fd4a75e96b3f4429ed8487facc5368577061753458d594e51ee9f02d39b862b6
Instruction Fuzzy Hash: 27F117705083019FCB54EF28C484A6ABBE6BF89314F14892DF89A9B351D771ED46CF92

Function 006343DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00634401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006344A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006344C3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: c8576d1a3bfd97260e5ac50ad1fe4bfeeafe773b81a8240a8cda51493ff92b36
Instruction ID: cae92af0b3e5a550c484931af787f0330e50195cbd78717103663079302d48d2
Opcode Fuzzy Hash: c8576d1a3bfd97260e5ac50ad1fe4bfeeafe773b81a8240a8cda51493ff92b36
Instruction Fuzzy Hash: F5314FB05047119FD761DF24D8846ABBBE9EB48304F00093EF59A82352DB75AA48CB92

Function 0065594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00655963

Part of subcall function 0065A3AB: __NMSG_WRITE.LIBCMT ref: 0065A3D2
Part of subcall function 0065A3AB: __NMSG_WRITE.LIBCMT ref: 0065A3DC

__NMSG_WRITE.LIBCMT ref: 0065596A

Part of subcall function 0065A408: GetModuleFileNameW.KERNEL32(00000000,006F43BA,00000104,?,00000001,00000000), ref: 0065A49A
Part of subcall function 0065A408: ___crtMessageBoxW.LIBCMT ref: 0065A548

Part of subcall function 006532DF: ___crtCorExitProcess.LIBCMT ref: 006532E5
Part of subcall function 006532DF: ExitProcess.KERNEL32 ref: 006532EE

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

RtlAllocateHeap.NTDLL(00C80000,00000000,00000001,00000000,?,?,?,00651013,?), ref: 0065598F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6470cd8e5aadc75b642604e45529ad871c29deb782c154531b1fa0195b7846d9
Instruction ID: 87ba3cd8e73492d79c5a6400a260e1641f23b2d0608822bc098b918b4e0eb9d1
Opcode Fuzzy Hash: 6470cd8e5aadc75b642604e45529ad871c29deb782c154531b1fa0195b7846d9
Instruction Fuzzy Hash: 4F012631200B51DED7103769DC266AE339B8F41B73F10012EFC02AB681DE749D498269

Function 00699B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006997D2,?,?,?,?,?,00000004), ref: 00699B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006997D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00699B5B
CloseHandle.KERNEL32(00000000,?,006997D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00699B62

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d073fb3303139aa4ec7c0138279c1c3a86f0d873263dc75ae41a7b64e0bfd7dc
Instruction ID: ccf4dc41f3f01f02c56a0127796b9c1a3ea686414221b75835835fb50b68757a
Opcode Fuzzy Hash: d073fb3303139aa4ec7c0138279c1c3a86f0d873263dc75ae41a7b64e0bfd7dc
Instruction Fuzzy Hash: B6E08632180214B7EB211B58EC09FCA7B5AAB05775F144220FB14790F087B125519798

Function 00698F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00698FA5

Part of subcall function 00652F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00659C64), ref: 00652FA9
Part of subcall function 00652F95: GetLastError.KERNEL32(00000000,?,00659C64), ref: 00652FBB

_free.LIBCMT ref: 00698FB6
_free.LIBCMT ref: 00698FC8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: a5fc2d433abdcf3009dad7bc77ca839cc04fdc597cd6623e04ee60b4f9863fdd
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 16E012A16097024ECE64A978BD50AD357EF5F4A3A1F18181DB809DB642DE24E8558128

Function 0063AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0067002B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 20573f5ac972d07b58b2838e166c300f38c168cec70a8f4b5fa112b9c4d9953e
Instruction ID: 9a44209405281a4e32d15dd7e2991a05bba9154ddd4184196082ff8ed9e9394f
Opcode Fuzzy Hash: 20573f5ac972d07b58b2838e166c300f38c168cec70a8f4b5fa112b9c4d9953e
Instruction Fuzzy Hash: 39224670508241CFDB68DF54C490B6ABBE2FF85300F14895DE88A8B362DB31ED85DB96

Function 00637BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00637C0B
_memmove.LIBCMT ref: 00637C76

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction ID: 6ff234c343226873f929e347d98c0f65f06319ad3c0472db1ab5e926deccf4e5
Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction Fuzzy Hash: 0431A2B1604506AFC724DF28D8D1EAAF3AAFF48310B15862DE915CB391DB70E850CBD4

Function 0063492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00634992

Part of subcall function 006535AC: __lock.LIBCMT ref: 006535B2
Part of subcall function 006535AC: DecodePointer.KERNEL32(00000001,?,006349A7,006881BC), ref: 006535BE
Part of subcall function 006535AC: EncodePointer.KERNEL32(?,?,006349A7,006881BC), ref: 006535C9

Part of subcall function 00634A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00634A73
Part of subcall function 00634A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00634A88

Part of subcall function 00633B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00633B7A
Part of subcall function 00633B4C: IsDebuggerPresent.KERNEL32 ref: 00633B8C
Part of subcall function 00633B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006F62F8,006F62E0,?,?), ref: 00633BFD
Part of subcall function 00633B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00633C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006349D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 610e6e4a4b443d43d9024bfd313f98d47ebd581a18750198843708687560b154
Instruction ID: 20b342591d704f542c8982bcdef10e3cd7bdac32d17a68c390d376bb5a072445
Opcode Fuzzy Hash: 610e6e4a4b443d43d9024bfd313f98d47ebd581a18750198843708687560b154
Instruction Fuzzy Hash: 6B118C719083119BC300EF29EC0591AFBFAEB94710F00461EF485872B1DBB09655CB96

Function 00650FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0065594C: __FF_MSGBANNER.LIBCMT ref: 00655963
Part of subcall function 0065594C: __NMSG_WRITE.LIBCMT ref: 0065596A
Part of subcall function 0065594C: RtlAllocateHeap.NTDLL(00C80000,00000000,00000001,00000000,?,?,?,00651013,?), ref: 0065598F

std::exception::exception.LIBCMT ref: 0065102C
__CxxThrowException@8.LIBCMT ref: 00651041

Part of subcall function 006587DB: RaiseException.KERNEL32(?,?,?,006EBAF8,00000000,?,?,?,?,00651046,?,006EBAF8,?,00000001), ref: 00658830

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 825be8e5537ea00bbfefa20eab40309d3c646795f5ea0590f7840aa6662429f1
Instruction ID: 62d15fe695d0cad89054fbfd40c17af00c7af53c2ef2a98b62c3d0b1db1c92b4
Opcode Fuzzy Hash: 825be8e5537ea00bbfefa20eab40309d3c646795f5ea0590f7840aa6662429f1
Instruction Fuzzy Hash: 41F02D3450035DA6CB20BE58DC25AEF7BAFDF01352F10042DFC04A6681DF719AD882D4

Function 006555D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

__lock_file.LIBCMT ref: 0065561B

Part of subcall function 00656E4E: __lock.LIBCMT ref: 00656E71

__fclose_nolock.LIBCMT ref: 00655626

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 68f6c42ea5c76e90d79f7909e660c722254d31c39cf00844ea4713ef3ca5a60d
Instruction ID: 386d9161f3a63fe49fb581a3612727bb0c022cfedefa82d722e8e898a8fd177c
Opcode Fuzzy Hash: 68f6c42ea5c76e90d79f7909e660c722254d31c39cf00844ea4713ef3ca5a60d
Instruction Fuzzy Hash: 08F0F631801B409ED7606B35881675E76A31F40336F65420DAC52AB1E1CF7C89098B49

Function 00CC0EA5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CC1663
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CC16F9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CC171B

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: 2fa53c4e65926aac0426882a31bb7caea5f6740ae556cc37d995d9e5fd8aa309
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: E312CC24A24658C6EB24DF64D8507DEB232EF68300F1090EDD10DEB7A5E77A4F81CB5A

Function 00650E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00650EF7

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 480932d92b3d82c88a4248ef56d98e81881bc6a8efa36f639834fcb938a50d6b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: BB31B371A00106DBE718DF58D4829A9F7A6FF59301F788AA5E80ACB751D731EDC5CB80

Function 006700D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006700E1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bec24234501b5f1ddfd3fff376a25e2f9139a8b7691311d2922fdea66cd1b344
Instruction ID: 0677a22082dbd5c116212e2ab2d94e3bfbd22b78878f5ff6f0eaee6273fadd7d
Opcode Fuzzy Hash: bec24234501b5f1ddfd3fff376a25e2f9139a8b7691311d2922fdea66cd1b344
Instruction Fuzzy Hash: B4411874504341CFDB24DF54C484B5ABBE2BF45318F19889CE9894B362C732EC85DB96

Function 00637CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00637D13

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 59ea15e934eca75f95ed15468370dd6d640df3a19487c6055a37a7c679a4ddde
Instruction ID: 2a6ed5e1dd1fca5c21906639bd9171624776c72e872c56226fc147d31168d8b3
Opcode Fuzzy Hash: 59ea15e934eca75f95ed15468370dd6d640df3a19487c6055a37a7c679a4ddde
Instruction Fuzzy Hash: 9C21F4B1604609EBDB204F14FC8176A7BB7FF14391F21946DE886C9191EB3090D0D789

Function 00634F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00634D13: FreeLibrary.KERNEL32(00000000,?), ref: 00634D4D

Part of subcall function 0065548B: __wfsopen.LIBCMT ref: 00655496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00634F6F

Part of subcall function 00634CC8: FreeLibrary.KERNEL32(00000000), ref: 00634D02

Part of subcall function 00634DD0: _memmove.LIBCMT ref: 00634E1A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 76704a5807d0824b4fc4bdae732e22757901cf45fda3b952e4affcc1e08e0a5e
Instruction ID: a7c61360d4b80c4869d163352c283094c39b225e358c38fc04acbc413fab4d71
Opcode Fuzzy Hash: 76704a5807d0824b4fc4bdae732e22757901cf45fda3b952e4affcc1e08e0a5e
Instruction Fuzzy Hash: FD11E731A00305AACB54BF70DC12BAEB7AB9F80701F10842DF542A72C1DE71AA159BE4

Function 006701AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006701BB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8bf2411bb7d000894599c06d27657868aafa164837689cc9c9dc52c6a05b3b08
Instruction ID: d2e6fd3b88cdd51532d435861ddee5322fff3369124505fa7e6196cd20f64e44
Opcode Fuzzy Hash: 8bf2411bb7d000894599c06d27657868aafa164837689cc9c9dc52c6a05b3b08
Instruction Fuzzy Hash: C42144B4508341CFCB24DF54C444B5ABBE2BF89314F04896CE88A4B362D731E849DBA2

Function 00654A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00654AD6

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: b8c32ce5913b574644f8601bdc1342f94369cfc3905826d3d0bbb53581861b1f
Instruction ID: 857fc68bd74b94b5ff2392ef0ee1d958f2746093a21f5c879f7ab8ed4766a66d
Opcode Fuzzy Hash: b8c32ce5913b574644f8601bdc1342f94369cfc3905826d3d0bbb53581861b1f
Instruction Fuzzy Hash: 76F0D1318002099BDBD1AF648C023DE36A3AF0032BF044148BC14AB1D1CF788A98CF49

Function 00634FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00634FDE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 991fa21351dc2f6e71dbaf5a5dc46b33a4e0598f286d612e53fc7586461e1730
Instruction ID: ea1c67f9d1fdeecc03a8ec03634007f4ddef8879da859b93fc7019737241b5f6
Opcode Fuzzy Hash: 991fa21351dc2f6e71dbaf5a5dc46b33a4e0598f286d612e53fc7586461e1730
Instruction Fuzzy Hash: D2F03971505712CFCB349F64E894862FBE2FF453297288A3EE5D782620CB31A884DF80

Function 006509D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006509F4

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7e0e1411ae6cd8b2c2e40bef5a617bb4ea3ad9dcbae56f364ed3c30e1f2fb6ad
Instruction ID: 394c4e6b7137eec9a17fba8d1a86dcc449f7369b8c7a034de5be19db3e47c277
Opcode Fuzzy Hash: 7e0e1411ae6cd8b2c2e40bef5a617bb4ea3ad9dcbae56f364ed3c30e1f2fb6ad
Instruction Fuzzy Hash: E6E0867690422857C720D6A89C05FFA77EEDF89690F0401B6FC0CD7214D9A19D818694

Function 0065548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00655496

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 6e65d81d72086c8df1e4b69bf052697eecaf842b4dfc26e83de9f8fb62187fc7
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 1BB0927684020C77DE412E82EC02A693B5A9B40779F808020FF0C18162A673A6A49689

Function 00CC1EA8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CC1EB9

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 179b3639a7e792722ea31e1307086634b0c337f32abe6285e996b9f8db8019c1
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 25E0E67494010DDFDB00EFB5D54D6DE7BB4EF04301F1001A5FD01D2680D6309D508A62

Non-executed Functions

Function 006BCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006BCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006BCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006BCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006BCF00
SendMessageW.USER32 ref: 006BCF29
_wcsncpy.LIBCMT ref: 006BCFA1
GetKeyState.USER32(00000011), ref: 006BCFC2
GetKeyState.USER32(00000009), ref: 006BCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006BCFE5
GetKeyState.USER32(00000010), ref: 006BCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006BD018
SendMessageW.USER32 ref: 006BD03F
SendMessageW.USER32(?,00001030,?,006BB602), ref: 006BD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006BD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006BD16E
SetCapture.USER32(?), ref: 006BD177
ClientToScreen.USER32(?,?), ref: 006BD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006BD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006BD203
ReleaseCapture.USER32 ref: 006BD20E
GetCursorPos.USER32(?), ref: 006BD248
ScreenToClient.USER32(?,?), ref: 006BD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 006BD2B1
SendMessageW.USER32 ref: 006BD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 006BD31C
SendMessageW.USER32 ref: 006BD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006BD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006BD37B
GetCursorPos.USER32(?), ref: 006BD39B
ScreenToClient.USER32(?,?), ref: 006BD3A8
GetParent.USER32(?), ref: 006BD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 006BD431
SendMessageW.USER32 ref: 006BD462
ClientToScreen.USER32(?,?), ref: 006BD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006BD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 006BD51A
SendMessageW.USER32 ref: 006BD53D
ClientToScreen.USER32(?,?), ref: 006BD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006BD5C3

Part of subcall function 006325DB: GetWindowLongW.USER32(?,000000EB), ref: 006325EC

GetWindowLongW.USER32(?,000000F0), ref: 006BD65F

Strings

@GUI_DRAGID, xrefs: 006BD1AA
pro, xrefs: 006BD1BD
F, xrefs: 006BD543

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pro
API String ID: 3977979337-2510591313
Opcode ID: 8110ae26f2a54efec0cdaf6531a8d18b8f3f851115a41127271ddc6b96d96817
Instruction ID: 16b78600287bb15c67f5d1dc910eae22f49bfdef97ea8696a3c16dcf20236999
Opcode Fuzzy Hash: 8110ae26f2a54efec0cdaf6531a8d18b8f3f851115a41127271ddc6b96d96817
Instruction Fuzzy Hash: 3D4279B0204241EFD725CF28C844AEABBE7FF49364F14061DF6959B2A1D731E991CB92

Function 006B804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006B873F

Strings

%d/%02d/%02d, xrefs: 006B8478

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 06e8ae60e6ddc9925e5229e2d6a33ed6142d73a6028272c1b3f09b18c0feb858
Instruction ID: ce1233c71b70526d0fd3f1cb3fcb263c8f2e28e3d04ab7c812c2df2449e61047
Opcode Fuzzy Hash: 06e8ae60e6ddc9925e5229e2d6a33ed6142d73a6028272c1b3f09b18c0feb858
Instruction Fuzzy Hash: F61291B1500204AFEB259F64CC49FEE7BBAEF85714F244129F915EB2A1EF709981CB50

Function 0064710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006475C2
_memset.LIBCMT ref: 006476B1
_memmove.LIBCMT ref: 00647C4B
_memmove.LIBCMT ref: 00647E4F

Strings

0wn, xrefs: 00681F5B
Oad, xrefs: 0068287E
[:>:]], xrefs: 0064760A
[:<:]], xrefs: 006475F1
\b(?=\w), xrefs: 00683C34
Q\E, xrefs: 006481C1
DEFINE, xrefs: 006825AF
\b(?<=\w), xrefs: 00683C41

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wn$DEFINE$Oad$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1397932790
Opcode ID: 1ce047106dd9aad7e9902006fc38af6066899434ff90e9acb8a694e8af843ab2
Instruction ID: 462adf14a8052afed9469d754544198c53e6a20858b50c931ba999c3f95cc576
Opcode Fuzzy Hash: 1ce047106dd9aad7e9902006fc38af6066899434ff90e9acb8a694e8af843ab2
Instruction Fuzzy Hash: 9E938175A04216DFDB24DF58C8917EDB7B2FF48710F25826AE945AB381E7709E82CB40

Function 00634A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00634A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066DA8E
IsIconic.USER32(?), ref: 0066DA97
ShowWindow.USER32(?,00000009), ref: 0066DAA4
SetForegroundWindow.USER32(?), ref: 0066DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0066DAC4
GetCurrentThreadId.KERNEL32 ref: 0066DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0066DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0066DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0066DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0066DAF8
SetForegroundWindow.USER32(?), ref: 0066DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066DB10
keybd_event.USER32(00000012,00000000), ref: 0066DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066DB25
keybd_event.USER32(00000012,00000000), ref: 0066DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066DB33
keybd_event.USER32(00000012,00000000), ref: 0066DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0066DB42
keybd_event.USER32(00000012,00000000), ref: 0066DB47
SetForegroundWindow.USER32(?), ref: 0066DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0066DB71

Strings

Shell_TrayWnd, xrefs: 0066DA89

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ddd51a21269e6e0796c64e6042a050e4f8f70eede9f2c290e2dd57dba59afa62
Instruction ID: 6e0957409be27330360811c0c2efad6d3e1608fc644a43ac27b99deb11a94bd5
Opcode Fuzzy Hash: ddd51a21269e6e0796c64e6042a050e4f8f70eede9f2c290e2dd57dba59afa62
Instruction Fuzzy Hash: BC3175B1F803187BEB305FA59C49FBE3F6EEB44B50F114125FA04E61E0D6705941ABA0

Function 00688858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00688CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00688D0D
Part of subcall function 00688CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00688D3A
Part of subcall function 00688CC3: GetLastError.KERNEL32 ref: 00688D47

_memset.LIBCMT ref: 0068889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006888ED
CloseHandle.KERNEL32(?), ref: 006888FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00688915
GetProcessWindowStation.USER32 ref: 0068892E
SetProcessWindowStation.USER32(00000000), ref: 00688938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00688952

Part of subcall function 00688713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00688851), ref: 00688728
Part of subcall function 00688713: CloseHandle.KERNEL32(?,?,00688851), ref: 0068873A

Strings

winsta0, xrefs: 00688910
default, xrefs: 0068894D
, xrefs: 006888AA

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 1bd1cd597572126808ae8da200508fe3a18d406890f1152b72d5c4ce043be19f
Instruction ID: 9958458c402864300fda77c3bb5391cf0a57e9b46393e452e0fd5a5dc74f52cf
Opcode Fuzzy Hash: 1bd1cd597572126808ae8da200508fe3a18d406890f1152b72d5c4ce043be19f
Instruction Fuzzy Hash: 6E8163B1940249AFDF15EFA4DC45AEE7BBAEF04304F48426AF910A72A1DF318D54DB60

Function 006A425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006BF910), ref: 006A4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 006A4292
GetClipboardData.USER32(0000000D), ref: 006A429A
CloseClipboard.USER32 ref: 006A42A6
GlobalLock.KERNEL32(00000000), ref: 006A42C2
CloseClipboard.USER32 ref: 006A42CC
GlobalUnlock.KERNEL32(00000000), ref: 006A42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 006A42EE
GetClipboardData.USER32(00000001), ref: 006A42F6
GlobalLock.KERNEL32(00000000), ref: 006A4303
GlobalUnlock.KERNEL32(00000000), ref: 006A4337
CloseClipboard.USER32 ref: 006A4447

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 9964f9082c55e59114ef579395b2996c4dc9b4fa9aaa33c4f4e69a3f1f1be918
Instruction ID: 8575e9c0d42d8d31f2e03d806c8dd17c9190ca62f7e88ffcb29fa6de21959c4d
Opcode Fuzzy Hash: 9964f9082c55e59114ef579395b2996c4dc9b4fa9aaa33c4f4e69a3f1f1be918
Instruction Fuzzy Hash: 8351BFB5204301ABD710BF64DC86FAE77AAAF85B00F10462DF546D22B1DFB0DE458B66

Function 0069C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0069C9F8
FindClose.KERNEL32(00000000), ref: 0069CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0069CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0069CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0069CAAF
__swprintf.LIBCMT ref: 0069CAFB
__swprintf.LIBCMT ref: 0069CB3E

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

__swprintf.LIBCMT ref: 0069CB92

Part of subcall function 006538D8: __woutput_l.LIBCMT ref: 00653931

__swprintf.LIBCMT ref: 0069CBE0

Part of subcall function 006538D8: __flsbuf.LIBCMT ref: 00653953
Part of subcall function 006538D8: __flsbuf.LIBCMT ref: 0065396B

__swprintf.LIBCMT ref: 0069CC2F
__swprintf.LIBCMT ref: 0069CC7E
__swprintf.LIBCMT ref: 0069CCCD

Strings

%02d, xrefs: 0069CB86, 0069CB90, 0069CBDE, 0069CC2D, 0069CC7C, 0069CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 0069CAF5
%4d, xrefs: 0069CB38

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 289b8629321c068b01d502d98738f77385c47fad678f63e0303b05675be08338
Instruction ID: 43d4d45957549e35787a6b708cc48fbb2cf7b325c6780786f4ff36e29c3a5881
Opcode Fuzzy Hash: 289b8629321c068b01d502d98738f77385c47fad678f63e0303b05675be08338
Instruction Fuzzy Hash: BEA13EB2408304ABD754EBA4CD85DAFB7EEAF94704F40491DB586C3191EB74DA08CBA6

Function 0069F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0069F221
_wcscmp.LIBCMT ref: 0069F236
_wcscmp.LIBCMT ref: 0069F24D
GetFileAttributesW.KERNEL32(?), ref: 0069F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0069F279
FindNextFileW.KERNEL32(00000000,?), ref: 0069F291
FindClose.KERNEL32(00000000), ref: 0069F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0069F2B8
_wcscmp.LIBCMT ref: 0069F2DF
_wcscmp.LIBCMT ref: 0069F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0069F308
SetCurrentDirectoryW.KERNEL32(006EA5A0), ref: 0069F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0069F330
FindClose.KERNEL32(00000000), ref: 0069F33D
FindClose.KERNEL32(00000000), ref: 0069F34F

Strings

*.*, xrefs: 0069F2B3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 8789f27216306b84130fa097adab22108633521391720a151b2aec39f9e05100
Instruction ID: d24b69d12a2b04433e924a60fbb9b1ccbdb9bb32358e72c586c39f6d5706cd35
Opcode Fuzzy Hash: 8789f27216306b84130fa097adab22108633521391720a151b2aec39f9e05100
Instruction Fuzzy Hash: F83106B65012196ACF10DBF4DC58AEE73AE9F08361F150275E800D31A0EB75DF85CAA4

Function 006B0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,006BF910,00000000,?,00000000,?,?), ref: 006B0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006B0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006B0D1D
RegCloseKey.ADVAPI32(?), ref: 006B103D
RegCloseKey.ADVAPI32(00000000), ref: 006B104A

Strings

REG_QWORD, xrefs: 006B0F8B
REG_BINARY, xrefs: 006B0FD8
REG_MULTI_SZ, xrefs: 006B0E05
REG_EXPAND_SZ, xrefs: 006B0CBA
REG_DWORD, xrefs: 006B0F0E
REG_SZ, xrefs: 006B0D5B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 2dd4ff7dea1a5c382ac8fda42b7accd0552d381e5561564c0db558f93debc2c9
Instruction ID: 579c0b6e4ac139cd5e6067fdfd700c9fdc7f35f6952995acc2e24688de83db19
Opcode Fuzzy Hash: 2dd4ff7dea1a5c382ac8fda42b7accd0552d381e5561564c0db558f93debc2c9
Instruction Fuzzy Hash: C002AF752006119FCB54EF14C891E6ABBE6FF89714F04855CF88A9B3A2CB70ED41CB95

Function 0069F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0069F37E
_wcscmp.LIBCMT ref: 0069F393
_wcscmp.LIBCMT ref: 0069F3AA

Part of subcall function 006945C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006945DC

FindNextFileW.KERNEL32(00000000,?), ref: 0069F3D9
FindClose.KERNEL32(00000000), ref: 0069F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0069F400
_wcscmp.LIBCMT ref: 0069F427
_wcscmp.LIBCMT ref: 0069F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0069F450
SetCurrentDirectoryW.KERNEL32(006EA5A0), ref: 0069F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0069F478
FindClose.KERNEL32(00000000), ref: 0069F485
FindClose.KERNEL32(00000000), ref: 0069F497

Strings

*.*, xrefs: 0069F3FB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 18d800c08289b4ae4ef20d9af20dbb0c7e078ff6d38f7b7cf7258fa539652663
Instruction ID: 1746ba0fa14eb80abb002e7f3448b744e3600f57c71a90a83e347af9b0d9c6e1
Opcode Fuzzy Hash: 18d800c08289b4ae4ef20d9af20dbb0c7e078ff6d38f7b7cf7258fa539652663
Instruction Fuzzy Hash: B33105715012196BCF109BA4EC88AEE73EE9F09760F160275E810E36A1DB34DE84CBA4

Function 006881F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0068874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688766
Part of subcall function 0068874A: GetLastError.KERNEL32(?,0068822A,?,?,?), ref: 00688770
Part of subcall function 0068874A: GetProcessHeap.KERNEL32(00000008,?,?,0068822A,?,?,?), ref: 0068877F
Part of subcall function 0068874A: HeapAlloc.KERNEL32(00000000,?,0068822A,?,?,?), ref: 00688786
Part of subcall function 0068874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068879D

Part of subcall function 006887E7: GetProcessHeap.KERNEL32(00000008,00688240,00000000,00000000,?,00688240,?), ref: 006887F3
Part of subcall function 006887E7: HeapAlloc.KERNEL32(00000000,?,00688240,?), ref: 006887FA
Part of subcall function 006887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00688240,?), ref: 0068880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0068825B
_memset.LIBCMT ref: 00688270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0068828F
GetLengthSid.ADVAPI32(?), ref: 006882A0
GetAce.ADVAPI32(?,00000000,?), ref: 006882DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006882F9
GetLengthSid.ADVAPI32(?), ref: 00688316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00688325
HeapAlloc.KERNEL32(00000000), ref: 0068832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0068834D
CopySid.ADVAPI32(00000000), ref: 00688354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00688385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006883AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006883BF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3229cc0e8a47fcbe97f26ce3dd826c9d0161c946efc42ce76df0adc504c321ac
Instruction ID: 94554980b57197c1dd22cdf8bee577653ddb5c7a1c8ba2de7069fe0a3516e240
Opcode Fuzzy Hash: 3229cc0e8a47fcbe97f26ce3dd826c9d0161c946efc42ce76df0adc504c321ac
Instruction Fuzzy Hash: CA615E7190021ABFDF00EF94DD54AEEBB7AFF04700F548269F915A72A1DB319A45CB60

Function 00646843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00681771
CR), xrefs: 006816C0
ANYCRLF), xrefs: 00681734
LIMIT_RECURSION=, xrefs: 00681635
UCP), xrefs: 00681546
PJm, xrefs: 006468B3
BSR_ANYCRLF), xrefs: 00681757
LIMIT_MATCH=, xrefs: 006815A9
LF), xrefs: 006816DD
NO_AUTO_POSSESS), xrefs: 00681567
Oad, xrefs: 00681888, 0068192F, 006819DD
NO_START_OPT), xrefs: 00681588
UTF16), xrefs: 00681508
UTF), xrefs: 00681533
CRLF), xrefs: 006816FA
ANY), xrefs: 00681717

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oad$PJm$UCP)$UTF)$UTF16)
API String ID: 0-1268353088
Opcode ID: 71ea3c84a56bdf4d33459369296e28731fddc9944e7c81bfa643bfe8a88dd9ab
Instruction ID: 3ff372f0aa0cc1f73a87b04b8c54d431db7cf7ba7b3744493f87d691a526329c
Opcode Fuzzy Hash: 71ea3c84a56bdf4d33459369296e28731fddc9944e7c81bfa643bfe8a88dd9ab
Instruction Fuzzy Hash: F3727175E002199BDB14DF59C8907EEB7B6FF49710F14816AE849EB380EB709D82CB91

Function 006B0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B0038,?,?), ref: 006B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0737

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006B07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006B086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006B0AAD
RegCloseKey.ADVAPI32(00000000), ref: 006B0ABA

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: faaa4d71c11fda12a1b42179f3f5e9c3ab89eeb0034afe00c94117473801984b
Instruction ID: 894938362c342899ff923347c86bc89ce57480ba11ff553ff848c39dc5e949b2
Opcode Fuzzy Hash: faaa4d71c11fda12a1b42179f3f5e9c3ab89eeb0034afe00c94117473801984b
Instruction Fuzzy Hash: 86E15F71204310AFDB54DF28C891E6BBBE6FF89714F04896DF44ADB262DA30E945CB51

Function 00690219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00690241
GetAsyncKeyState.USER32(000000A0), ref: 006902C2
GetKeyState.USER32(000000A0), ref: 006902DD
GetAsyncKeyState.USER32(000000A1), ref: 006902F7
GetKeyState.USER32(000000A1), ref: 0069030C
GetAsyncKeyState.USER32(00000011), ref: 00690324
GetKeyState.USER32(00000011), ref: 00690336
GetAsyncKeyState.USER32(00000012), ref: 0069034E
GetKeyState.USER32(00000012), ref: 00690360
GetAsyncKeyState.USER32(0000005B), ref: 00690378
GetKeyState.USER32(0000005B), ref: 0069038A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: caaa7f535850c6f02ebc25a3d07dc6268efd068d605980e96496ce85aa3912b2
Instruction ID: 07d43b8edf36da2e09847dbe16c48c595a79c706c3fc8f9215ead64f34c53154
Opcode Fuzzy Hash: caaa7f535850c6f02ebc25a3d07dc6268efd068d605980e96496ce85aa3912b2
Instruction Fuzzy Hash: 6341DB345047CA6EFF718B6488083F5BEAB6F12340F18819ED5C647BC2EB945AC4C7A2

Function 006A4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006A447F
EmptyClipboard.USER32 ref: 006A4485
GlobalAlloc.KERNEL32(00000002,?), ref: 006A449A
CloseClipboard.USER32 ref: 006A4539

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 01cd5f5091cf76c8b900bfc7e8f4379acab21675fc4926533645bcb390abb15e
Instruction ID: 678a5d3423a286ab27c064c04bc04489e1ebea893fb4b3fd29fc16fac791a2c2
Opcode Fuzzy Hash: 01cd5f5091cf76c8b900bfc7e8f4379acab21675fc4926533645bcb390abb15e
Instruction Fuzzy Hash: 8921B2752002109FDB10AF64EC09B6D77AAEF45711F10812AF946DB2B1DFB0AD41CF98

Function 00693A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006348A1,?,?,006337C0,?), ref: 006348CE

Part of subcall function 00694CD3: GetFileAttributesW.KERNEL32(?,00693947), ref: 00694CD4

FindFirstFileW.KERNEL32(?,?), ref: 00693ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00693B87
MoveFileW.KERNEL32(?,?), ref: 00693B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00693BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00693BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00693BF5

Strings

\*.*, xrefs: 00693A8A, 00693A93, 00693AA8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 31100d1ddba204ca855414217a3fa3bca48ca3f0dcf9af2ea3f2ffb0d1136758
Instruction ID: ee7d736910eec7e6cc0814298e766d409f0730903b409c604b3bcf88f27e99f5
Opcode Fuzzy Hash: 31100d1ddba204ca855414217a3fa3bca48ca3f0dcf9af2ea3f2ffb0d1136758
Instruction Fuzzy Hash: 7B51927180125D9ACF55EBA0CD928EDB7BBAF24300F24416DE44277291DF316F09DBA4

Function 00644140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00644520
Oad, xrefs: 00644984, 00678173
VUUU, xrefs: 006444DB
VUUU, xrefs: 00677B0C
ERCP, xrefs: 0064421F
VUUU, xrefs: 006444ED

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: ERCP$Oad$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1243811563
Opcode ID: b546a831f035ba1ef5aef82ee6ae3aec5fe5a8c3b9e2da0187bd867f999dc0aa
Instruction ID: eead14c9f38aa8ba7216073e139793208434ab41c132c623b91805c604a35770
Opcode Fuzzy Hash: b546a831f035ba1ef5aef82ee6ae3aec5fe5a8c3b9e2da0187bd867f999dc0aa
Instruction Fuzzy Hash: EBA27E70E0421ACBDF24CF58C9917EDB7B2BF55314F2481AAD85AA7380EB749E81DB50

Function 0069F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0069F6AB
Sleep.KERNEL32(0000000A), ref: 0069F6DB
_wcscmp.LIBCMT ref: 0069F6EF
_wcscmp.LIBCMT ref: 0069F70A
FindNextFileW.KERNEL32(?,?), ref: 0069F7A8
FindClose.KERNEL32(00000000), ref: 0069F7BE

Strings

*.*, xrefs: 0069F690

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 29bfd691109a11e0356841ca9933d0304d817239c21b5b46f26c7f84a2401fb6
Instruction ID: 1dc4c695e9564aed7f83f5b459eed3705f0ebe49b1b22ec81688c0e79181afbf
Opcode Fuzzy Hash: 29bfd691109a11e0356841ca9933d0304d817239c21b5b46f26c7f84a2401fb6
Instruction Fuzzy Hash: E641817190021A9FCF51DFA4DC85AEEBBBAFF05310F14456AE815E72A0DB309E84CB94

Function 006458C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00645A05
_memmove.LIBCMT ref: 00645A55
_memmove.LIBCMT ref: 00645ABB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e1022e2194bd8c342d879ef8fd385703a332b0d1ff0676be6499cfa40773e6b4
Instruction ID: bfdff983910188307712732dc7a6e5250def2efb978c616d01e58168e7c0798e
Opcode Fuzzy Hash: e1022e2194bd8c342d879ef8fd385703a332b0d1ff0676be6499cfa40773e6b4
Instruction Fuzzy Hash: CF129B70A00609EFDF54DFA4D981AEEB3F6FF48300F104669E806A7292EB35AD15CB54

Function 00645680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00650FF6: std::exception::exception.LIBCMT ref: 0065102C
Part of subcall function 00650FF6: __CxxThrowException@8.LIBCMT ref: 00651041

_memmove.LIBCMT ref: 0068062F
_memmove.LIBCMT ref: 00680744
_memmove.LIBCMT ref: 006807EB

Strings

yZd, xrefs: 00680881, 006807FF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZd
API String ID: 1300846289-2934610514
Opcode ID: 88689266554fff6daa4d414b3585e3a9019ac0351ee36c6a62567717679ece53
Instruction ID: e362a9e5dbe88cce0579c09ac02d2e27592ec6a5550bbbce6c84cd5f976baac7
Opcode Fuzzy Hash: 88689266554fff6daa4d414b3585e3a9019ac0351ee36c6a62567717679ece53
Instruction Fuzzy Hash: B3029FB0A00209DFDF44DF64D981AAEBBB6EF44300F1484ADE806DB395EB31DA55CB95

Function 0069545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00688CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00688D0D
Part of subcall function 00688CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00688D3A
Part of subcall function 00688CC3: GetLastError.KERNEL32 ref: 00688D47

ExitWindowsEx.USER32(?,00000000), ref: 0069549B

Strings

SeShutdownPrivilege, xrefs: 0069546B
, xrefs: 00695489
@, xrefs: 0069548E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1721bea75db6b39b9ea908d72ac93ec1c9e975787adf7f1cac24fbbf7f83aef9
Instruction ID: 04a6b8a52a361843b1ca043c9f07bfea38f5a5722e8b13bbd4fbdf4a26444502
Opcode Fuzzy Hash: 1721bea75db6b39b9ea908d72ac93ec1c9e975787adf7f1cac24fbbf7f83aef9
Instruction Fuzzy Hash: 64012471655B112AEFA96378EC4ABFA729EAB00B52F200235FD07D66E3DA501C8083D4

Function 00643190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oad, xrefs: 00643482

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oad
API String ID: 674341424-2998856776
Opcode ID: da46ba53e7b2663f91c5d5b328c571f1f97f301ec0fdff97b4b740f926c84b3e
Instruction ID: f9e695e5893ca84abfef102f2c6dcca6e32b6e3f322866ef792324e6b30fa36e
Opcode Fuzzy Hash: da46ba53e7b2663f91c5d5b328c571f1f97f301ec0fdff97b4b740f926c84b3e
Instruction Fuzzy Hash: 5522BC716083119FC764DF24C881BAFB7E6AF84314F14891DF89A97392DB70EA05CB96

Function 006A6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006A65EF
WSAGetLastError.WSOCK32(00000000), ref: 006A65FE
bind.WSOCK32(00000000,?,00000010), ref: 006A661A
listen.WSOCK32(00000000,00000005), ref: 006A6629
WSAGetLastError.WSOCK32(00000000), ref: 006A6643
closesocket.WSOCK32(00000000,00000000), ref: 006A6657

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 92ead894865b609bb12e8328fd900fd03db942487eb0d8c3ba7094e8fec009f0
Instruction ID: 79995ff7e0d920ef10dd796296236db88c1a2990d27966b9086ec888aa90fcea
Opcode Fuzzy Hash: 92ead894865b609bb12e8328fd900fd03db942487eb0d8c3ba7094e8fec009f0
Instruction Fuzzy Hash: B4219E746002009FCB10BF64DC49B6EB7BAEF45720F149269F956A73E1CBB0AD418FA5

Function 00631287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006319FA
GetSysColor.USER32(0000000F), ref: 00631A4E
SetBkColor.GDI32(?,00000000), ref: 00631A61

Part of subcall function 00631290: DefDlgProcW.USER32(?,00000020,?), ref: 006312D8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 4b380670ad11ba565cfbd3ff83ca6b9678e66dd002cee06cfbd950f67a6c9f77
Instruction ID: ff5f11160d99fd710807f28f2da7acc904224d52d79e713eda8c2b4c3bf73783
Opcode Fuzzy Hash: 4b380670ad11ba565cfbd3ff83ca6b9678e66dd002cee06cfbd950f67a6c9f77
Instruction Fuzzy Hash: 2EA126B1105544BADB28AB299C55EFF259FDB43392F14121EF402DE292CE249E82D3F9

Function 006A6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006A6AB1
WSAGetLastError.WSOCK32(00000000), ref: 006A6ADA
bind.WSOCK32(00000000,?,00000010), ref: 006A6B13
WSAGetLastError.WSOCK32(00000000), ref: 006A6B20
closesocket.WSOCK32(00000000,00000000), ref: 006A6B34

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 02c18a5f9f691cfed37e35eed18c2fe9ed285dd618cf50abbca9a2b90d4d0654
Instruction ID: 412bad0de62a66b2aacd55371e84912ab5a987e8721c358d487d8893b00dedc7
Opcode Fuzzy Hash: 02c18a5f9f691cfed37e35eed18c2fe9ed285dd618cf50abbca9a2b90d4d0654
Instruction Fuzzy Hash: 3C41D675700210AFEB50BF24DC86F6E77AADB05710F04815CF95AAB3D2CAB49D018BE5

Function 006B55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006B564C
IsWindowEnabled.USER32 ref: 006B565A
GetForegroundWindow.USER32(?,?,00000001), ref: 006B5667
IsIconic.USER32 ref: 006B5675
IsZoomed.USER32 ref: 006B5683

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 683aa7fe8cff968776a959063acb58cc7acea1fc4687f9a10361723a2263529d
Instruction ID: a432d1a06da91ffb9bc584704620b93da6ce31b30bbd5cda8a81b79d96cadf91
Opcode Fuzzy Hash: 683aa7fe8cff968776a959063acb58cc7acea1fc4687f9a10361723a2263529d
Instruction Fuzzy Hash: F111B2B2700A106FE7212F26DC44BEB779BEF54721F404129F947D7261EB7099828BA9

Function 0063E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dto, xrefs: 00673F58
Dto, xrefs: 0063EC1A
Dto, xrefs: 00673F1F
Dto, xrefs: 0063EC21
Variable must be of type 'Object'., xrefs: 0067428C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: Dto$Dto$Dto$Dto$Variable must be of type 'Object'.
API String ID: 0-4087033983
Opcode ID: 6a6b667900deb5f15f3fa27891784e2c82f900d31a26e6f43d4b8330359b5395
Instruction ID: d93f663b5fec756ec1b030aaa1384fe4316047e132e10a93a8e04e2ea2ca0076
Opcode Fuzzy Hash: 6a6b667900deb5f15f3fa27891784e2c82f900d31a26e6f43d4b8330359b5395
Instruction Fuzzy Hash: 19A24B74E04215CFCB24CF58C580AAEB7B3FF58314F248169E916AB391D776AD42CBA1

Function 0069C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0069C69D
CoCreateInstance.OLE32(006C2D6C,00000000,00000001,006C2BDC,?), ref: 0069C6B5

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

CoUninitialize.OLE32 ref: 0069C922

Strings

.lnk, xrefs: 0069C631, 0069C659, 0069C663

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 78f74cc6c407cc7d7f97d7692bfb8e009f29483c95eff37e29897ef12af4625a
Instruction ID: 03cf11ff4e9de1931c6d2374fffbc2a34cfc350c3de62c4ce4b864fbd35f5907
Opcode Fuzzy Hash: 78f74cc6c407cc7d7f97d7692bfb8e009f29483c95eff37e29897ef12af4625a
Instruction Fuzzy Hash: D2A12B71104305AFD740EF54C891EABB7EDEF94314F004A1CF196971A2DBB0EA49CBA6

Function 006AC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00671D88,?), ref: 006AC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006AC324

Strings

kernel32.dll, xrefs: 006AC30D
GetSystemWow64DirectoryW, xrefs: 006AC31E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5be1fc461f5d50191a77e7e1137d174e17034675449042d453bb03423fe1f0e2
Instruction ID: eff5d552aa4dd49284f48536f20d287a3bfcc8b3b6b30fd47d591067b3c95b97
Opcode Fuzzy Hash: 5be1fc461f5d50191a77e7e1137d174e17034675449042d453bb03423fe1f0e2
Instruction Fuzzy Hash: C6E0ECB4610713CFDF206F29DC14A867ADAEB19765B80D879E895D6360E770D881CBA0

Function 006AF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006AF151
Process32FirstW.KERNEL32(00000000,?), ref: 006AF15F

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Process32NextW.KERNEL32(00000000,?), ref: 006AF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 006AF22E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d945e44ccedf7860cb46318ed6ff4315019e86402ecde5dde0c3361c66d8c346
Instruction ID: 237ee9d5d5ad7ebf8ddc1822b55d36b13792d3022746415fc9cb76b94d4071fa
Opcode Fuzzy Hash: d945e44ccedf7860cb46318ed6ff4315019e86402ecde5dde0c3361c66d8c346
Instruction Fuzzy Hash: F9518EB1504301AFD350EF24DC81AABB7EAFF95710F10492DF496972A1EB70AA04CB96

Function 0068EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0068EB19

Strings

|, xrefs: 0068EB49
(, xrefs: 0068EB5F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 067bb4be5e6ee108155d04774bbbe73f76955869980e743dc9565e6aadf4c266
Instruction ID: 295a8a4f2f3e2d8461ba3131bac688a0debe0ab52ef590d986bf5ee054a57f5d
Opcode Fuzzy Hash: 067bb4be5e6ee108155d04774bbbe73f76955869980e743dc9565e6aadf4c266
Instruction Fuzzy Hash: 71324674A007059FDB28DF19C481AAAB7F2FF48310B15C56EE89ADB3A1E770E941CB44

Function 006A25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006A1AFE,00000000), ref: 006A26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006A270C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 46103baba199bb79c080030fdf30cf3315dfa40f63fca4fc73248ee2cc3d9bc4
Instruction ID: 5f3f7f8cfeb3fe95d0547593dd55c16ff8cab5d4ac8042030a0d0e7653ab60e6
Opcode Fuzzy Hash: 46103baba199bb79c080030fdf30cf3315dfa40f63fca4fc73248ee2cc3d9bc4
Instruction Fuzzy Hash: 6F41E87194020ABFEB20EF58DC95EFB77BEEB42714F10406EFA01A6240EA71DE459E54

Function 0069B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0069B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0069B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0069B655

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 850c2eee4c404964035df862cc8b4aac3183f637e7707854313624dc697e3064
Instruction ID: 52a8078de2cb404505efbc6c5d85dc9dea4e16a239029b70090bf898599f6149
Opcode Fuzzy Hash: 850c2eee4c404964035df862cc8b4aac3183f637e7707854313624dc697e3064
Instruction Fuzzy Hash: 11216075A00218EFCB00EFA5DC84EADBBB9FF48310F1481A9E845AB361DB31A955CF55

Function 00688CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00650FF6: std::exception::exception.LIBCMT ref: 0065102C
Part of subcall function 00650FF6: __CxxThrowException@8.LIBCMT ref: 00651041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00688D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00688D3A
GetLastError.KERNEL32 ref: 00688D47

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b4714f60d3d0e7b1ca79a763fd9bf3e04376c610d759472ce73307ce37a36288
Instruction ID: acd7ae4f3c9de159db36ed0d80fe9f3779bbe712d25a8b739a359041ca633466
Opcode Fuzzy Hash: b4714f60d3d0e7b1ca79a763fd9bf3e04376c610d759472ce73307ce37a36288
Instruction Fuzzy Hash: 3F11B2B1414208AFE728AF54DC85D6BB7BEEF04711B10862EF84583251EB70BC408B60

Function 00694021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0069404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00694088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00694091

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 86c63f78d24050e709b8f61441f16c22d43a9ecdeb9660fb4a9a9e6d9917fad2
Instruction ID: 1d80e98f3450d94a7b2990db9cd1f9cd871bcc951c99c6caf6de9a93b155413d
Opcode Fuzzy Hash: 86c63f78d24050e709b8f61441f16c22d43a9ecdeb9660fb4a9a9e6d9917fad2
Instruction Fuzzy Hash: A31152B1D04228BEEB109BE8DC49FBFBBBDEB08760F100656BA04E7291D6745D4587E1

Function 00694C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00694C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00694C43
FreeSid.ADVAPI32(?), ref: 00694C53

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 99e45739ceb967309d9392e7e9388d24b8d8465fc05e45914e3df9c9f4053152
Instruction ID: eb672c4db206eb7b6870326d7325b82451fa7fb6adbb8f1cdf2fbf595075bfd8
Opcode Fuzzy Hash: 99e45739ceb967309d9392e7e9388d24b8d8465fc05e45914e3df9c9f4053152
Instruction Fuzzy Hash: 41F04F7591130CBFDF04DFF0DC99AADB7BDEF08201F004569A601E2191D6705A448B50

Function 00698B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00698B25

Part of subcall function 0065543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006991F8,00000000,?,?,?,?,006993A9,00000000,?), ref: 00655443
Part of subcall function 0065543A: __aulldiv.LIBCMT ref: 00655463

Strings

0uo, xrefs: 00698B1C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0uo
API String ID: 2893107130-1416613368
Opcode ID: f79cd40f6dd77b34989dde2fab3cec636c059505e3aabdb6205977b84d438f48
Instruction ID: 89aed4d1c7af1d2cad20ed588b8bc84a25d66afec2ad3bfb2cffab8fce9c1952
Opcode Fuzzy Hash: f79cd40f6dd77b34989dde2fab3cec636c059505e3aabdb6205977b84d438f48
Instruction Fuzzy Hash: 2121E4726355108FC729CF25D441AA2B3E6EBA5311F288E6CD0E5CB6D0CE74BD45CB94

Function 0063E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae062f6d1ab08417df357747682efa3ccdc4854e938a34bf3ebd3c4f81fe652
Instruction ID: 9f470054192c82b5af5c85523326588ef8f5e8731bdf62a8e991258103f5d338
Opcode Fuzzy Hash: 7ae062f6d1ab08417df357747682efa3ccdc4854e938a34bf3ebd3c4f81fe652
Instruction Fuzzy Hash: 92228D74A00216CFDB24DF54C480BEAB7F2FF08310F148569E856AB391E776A985DBE1

Function 0069C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0069C966
FindClose.KERNEL32(00000000), ref: 0069C996

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 200b632ae9fafcbb8805fde47b90b3fa7d093355d4be69de6c030e5c2c15bb20
Instruction ID: a2e41c5e0fb783bd31abdb6d26b73d0bb0de4ed7b84949055f8e5966befbce4f
Opcode Fuzzy Hash: 200b632ae9fafcbb8805fde47b90b3fa7d093355d4be69de6c030e5c2c15bb20
Instruction Fuzzy Hash: 331165756106009FDB10EF29D845A2AF7EAFF44324F04861EF8A5D72A1DB70AD01CF95

Function 0069A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006A977D,?,006BFB84,?), ref: 0069A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006A977D,?,006BFB84,?), ref: 0069A314

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 367c09eef24cde3795a91179b4782492745ee7d632c52025b34e4573623e8374
Instruction ID: 419bb3625fe3210946db2009678d6b7d8a7da6de25f20b4245bd4888520d2e8a
Opcode Fuzzy Hash: 367c09eef24cde3795a91179b4782492745ee7d632c52025b34e4573623e8374
Instruction Fuzzy Hash: AEF0827554422DABDB20AFA4CC48FEA77AEBF09761F004269F908D6291D6309940CBE1

Function 00688713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00688851), ref: 00688728
CloseHandle.KERNEL32(?,?,00688851), ref: 0068873A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dfb0b88b93d27c5f542175431c676cd5d9a20b334290babee603d8cc5de55288
Instruction ID: 0a3220ea3d762982ec30407afee3a0d40d92786f95c5be4e09c9478124b559f5
Opcode Fuzzy Hash: dfb0b88b93d27c5f542175431c676cd5d9a20b334290babee603d8cc5de55288
Instruction Fuzzy Hash: A9E0EC76010610EFE7752B64EC09E777BEAEF04365B24893DF99684470DB62ACD0DB50

Function 0065A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00658F97,?,?,?,00000001), ref: 0065A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0065A3A3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: df2992a85c7dc0476ea261ee789cf1a297b8fb33334aa356e3d24a2c1f84587e
Instruction ID: 981d98b13095f4441607d02726860669963279c7d55489fbe9fd4d0e02fcdd88
Opcode Fuzzy Hash: df2992a85c7dc0476ea261ee789cf1a297b8fb33334aa356e3d24a2c1f84587e
Instruction Fuzzy Hash: 57B09271054208ABCB002B91EC09B883FAAEB44AA2F409120F60E84072CF6254908AD1

Function 0065F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891fcb2d06d23fe4624658252c2f64d6b28ec58c2d4f50b994cbf6a1d1623cef
Instruction ID: 7aa943d03866376e8b138b3c6d925e321771eb38a4310af99997945024f75354
Opcode Fuzzy Hash: 891fcb2d06d23fe4624658252c2f64d6b28ec58c2d4f50b994cbf6a1d1623cef
Instruction Fuzzy Hash: BC321721D69F414DD7239A34DC32336A24AAFB73C5F15E737EC1AB5AA6DB29C8834100

Function 0066267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed756d68a39024b5c8c9172eb786c41f8a8008dca4bbcd60c0ce0285a15891e3
Instruction ID: dfb5dbde27af5dc381bbe0b1d19c8f1d9b707b87828c68c1d57daf70cf4d1ae4
Opcode Fuzzy Hash: ed756d68a39024b5c8c9172eb786c41f8a8008dca4bbcd60c0ce0285a15891e3
Instruction Fuzzy Hash: AFB1F030D2AF454DD32396398835336BA9DAFBB2D9F51E71BFC2A74D22EB2185834141

Function 006A41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006A4218

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 48a447edfdae5c7e15022fec984dc91f3aa08d8a1041451c0f3a0763fe8e66d4
Instruction ID: aac7ffab4ce19327e52ba2f37f10b659518d4d7767fb01d5f919b6e05c82b251
Opcode Fuzzy Hash: 48a447edfdae5c7e15022fec984dc91f3aa08d8a1041451c0f3a0763fe8e66d4
Instruction Fuzzy Hash: 23E04F752402149FC710EF5AD844A9AF7EAAF95760F00802AFD49C7362DAB1ED418FF0

Function 00694EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00694F18

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ef7a4c0ccc7c077c706535acfa71d47c7ccc7558f7c0f5a6018e7160be473198
Instruction ID: 747370690f0ac291008553321b572a8832cd8d8edc272b891a56f60eac8f90b3
Opcode Fuzzy Hash: ef7a4c0ccc7c077c706535acfa71d47c7ccc7558f7c0f5a6018e7160be473198
Instruction Fuzzy Hash: 32D09EF516860779FD284B20AC1FFB6120FE3D4795F945A89720195DC29CE56C53A035

Function 00688C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006888D1), ref: 00688CB3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: bb6dbb027d88af314113106a214fb76e0eb204ee1a437d6356d4c7bfc8da3b67
Instruction ID: 4dfa54d25705b34ecbcd35394e7bf33cf09d6cefe832ba107fe3e931e7953372
Opcode Fuzzy Hash: bb6dbb027d88af314113106a214fb76e0eb204ee1a437d6356d4c7bfc8da3b67
Instruction Fuzzy Hash: 7AD05E3226050EABEF019FA4DC02EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Function 00672230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00672242

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 51dbc2d6577316a26891e254f1044484e63f41ed66d204b57b8e6d586ef5bf4a
Instruction ID: 7842f5f54c77e8b56ed25856d3f690c25c810eca824c698e43d7ad2995da00e2
Opcode Fuzzy Hash: 51dbc2d6577316a26891e254f1044484e63f41ed66d204b57b8e6d586ef5bf4a
Instruction Fuzzy Hash: 4FC048F1800109DBDB05EBA0DA98DEEB7BDAB08304F2081A6A106F2120E7749B848B71

Function 0065A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0065A36A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d5f49ae6056ca155158216aa53c57d1ebb20efdcfc8f69a2e5969f891abb5214
Instruction ID: 73027b613186c238af1279a942ca06dd1af7c9e2e41e942dc6b13d4357770240
Opcode Fuzzy Hash: d5f49ae6056ca155158216aa53c57d1ebb20efdcfc8f69a2e5969f891abb5214
Instruction Fuzzy Hash: 71A0113000020CAB8B002B82EC08888BFAEEA002A0B008020F80E800328F32A8A08AC0

Function 00648A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b62731b1a1f98bd33bbc5532f8d3f18781ced9de1847f2ecc88ae59dc3cb25e
Instruction ID: 872be84d371ac994e94bd05bcbfbb40b75032f1dd970d6dc069565f5f8b8e531
Opcode Fuzzy Hash: 0b62731b1a1f98bd33bbc5532f8d3f18781ced9de1847f2ecc88ae59dc3cb25e
Instruction Fuzzy Hash: EE221630905656CFDF289B28C4D46FDB7A3EB01344F68856AD8438B792EB349DC2DB61

Function 00652405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 5f91fc852fa173c91e71ca52863d739d023e3368a4cc1cd46a43463f2c86f0c4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 4FC184322090530ADB1D8639D4741BEBAE25AA37B271A075DECB2CF6C5EF20D56CD620

Function 0065283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 632aebf3de3170c0cdea99498f88bf56f041d08f570672dbc58efea62a707bf0
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B5C1A53220919309DF6D463AD43417EBBE25AA37B271A075DECB2DF6C5EF10D52C9620

Function 00CC3208 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 5db887faa7be7c809f406111a98a34df16d575571c99ce85e74d3ff41332c5fd
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A341B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00CC30F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 4fa4c134704ef631352b8e3f5aac8033613e27d5a2f0613d3c2e1e29e9f8e12e
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5E019278A00209EFCB44DF98D590DAEF7B6FB48310F248599E819A7341D730AF41DB90

Function 00CC3098 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 993406617b80fd092af55eddc0de805ec8f9880c37dd93d92cc779ae7cfb7dc8
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 36018C79A00209EFCB48DF98D590EAEF7B5FB88310F208599E819A7741D731AE41DB80

Function 00CC1A78 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1680021528.0000000000CBF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbf000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 006A7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006A7B70
DeleteObject.GDI32(00000000), ref: 006A7B82
DestroyWindow.USER32 ref: 006A7B90
GetDesktopWindow.USER32 ref: 006A7BAA
GetWindowRect.USER32(00000000), ref: 006A7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006A7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006A7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7D4A
GetClientRect.USER32(00000000,?), ref: 006A7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006A7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7DD0
GlobalLock.KERNEL32(00000000), ref: 006A7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7DE8
GlobalUnlock.KERNEL32(00000000), ref: 006A7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7DF8
GlobalFree.KERNEL32(00000000), ref: 006A7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006C2CAC,00000000), ref: 006A7E2B
GlobalFree.KERNEL32(00000000), ref: 006A7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006A7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006A7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A808F

Strings

static, xrefs: 006A7D8A, 006A7EE1
DISPLAY, xrefs: 006A7EF2
, xrefs: 006A8015
AutoIt v3, xrefs: 006A7D42

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: fd0b7e48dd9984543f5ced6bc244cad1b43fb3f71cf024c4a1ac9bff0384fc42
Instruction ID: b3d31b05dee56cecec333f097120c9ff04cbbdd157087617367b8aa49b368dac
Opcode Fuzzy Hash: fd0b7e48dd9984543f5ced6bc244cad1b43fb3f71cf024c4a1ac9bff0384fc42
Instruction Fuzzy Hash: 2E027DB1900115EFDB14DFA8CC89EAE7BBAFB49314F148558F905AB2A1CB70AD41CF60

Function 006B37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006BF910), ref: 006B38AF
IsWindowVisible.USER32(?), ref: 006B38D3

Strings

SELECTSTRING, xrefs: 006B3A8E
SETCURRENTSELECTION, xrefs: 006B3A3E
GETLINECOUNT, xrefs: 006B3B4E
ISVISIBLE, xrefs: 006B38BF
GETCURRENTSELECTION, xrefs: 006B3A6B
CURRENTTAB, xrefs: 006B3945
GETSELECTED, xrefs: 006B3B2B
HIDEDROPDOWN, xrefs: 006B3988
TABLEFT, xrefs: 006B390F
GETCURRENTLINE, xrefs: 006B3B75
ADDSTRING, xrefs: 006B399E
SENDCOMMANDID, xrefs: 006B3C62
FINDSTRING, xrefs: 006B39FE
EDITPASTE, xrefs: 006B3BE7
GETCURRENTCOL, xrefs: 006B3BB0
GETLINE, xrefs: 006B3C23
SHOWDROPDOWN, xrefs: 006B3968
UNCHECK, xrefs: 006B3B0B
TABRIGHT, xrefs: 006B3925
DELSTRING, xrefs: 006B39D1
CHECK, xrefs: 006B3AF5
ISENABLED, xrefs: 006B38F3
ISCHECKED, xrefs: 006B3AC1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c019cc3a174e56a4ea0f609ac5a8bed8769506662c65a6b9fa11f079628c5585
Instruction ID: e70508de0b267e23c7f287eaddbeee4c5cd987223aeed0f5da36389abccd104d
Opcode Fuzzy Hash: c019cc3a174e56a4ea0f609ac5a8bed8769506662c65a6b9fa11f079628c5585
Instruction Fuzzy Hash: EED1B070304316CBCB54EF15C951AAABBA3AF54344F14455CB8865B3E2DB30EE8BCB95

Function 006BA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006BA89F
GetSysColorBrush.USER32(0000000F), ref: 006BA8D0
GetSysColor.USER32(0000000F), ref: 006BA8DC
SetBkColor.GDI32(?,000000FF), ref: 006BA8F6
SelectObject.GDI32(?,?), ref: 006BA905
InflateRect.USER32(?,000000FF,000000FF), ref: 006BA930
GetSysColor.USER32(00000010), ref: 006BA938
CreateSolidBrush.GDI32(00000000), ref: 006BA93F
FrameRect.USER32(?,?,00000000), ref: 006BA94E
DeleteObject.GDI32(00000000), ref: 006BA955
InflateRect.USER32(?,000000FE,000000FE), ref: 006BA9A0
FillRect.USER32(?,?,?), ref: 006BA9D2
GetWindowLongW.USER32(?,000000F0), ref: 006BA9FD

Part of subcall function 006BAB60: GetSysColor.USER32(00000012), ref: 006BAB99
Part of subcall function 006BAB60: SetTextColor.GDI32(?,?), ref: 006BAB9D
Part of subcall function 006BAB60: GetSysColorBrush.USER32(0000000F), ref: 006BABB3
Part of subcall function 006BAB60: GetSysColor.USER32(0000000F), ref: 006BABBE
Part of subcall function 006BAB60: GetSysColor.USER32(00000011), ref: 006BABDB
Part of subcall function 006BAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006BABE9
Part of subcall function 006BAB60: SelectObject.GDI32(?,00000000), ref: 006BABFA
Part of subcall function 006BAB60: SetBkColor.GDI32(?,00000000), ref: 006BAC03
Part of subcall function 006BAB60: SelectObject.GDI32(?,?), ref: 006BAC10
Part of subcall function 006BAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 006BAC2F
Part of subcall function 006BAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006BAC46
Part of subcall function 006BAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 006BAC5B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7ff3b94acb683914f7744dfdf643ef88ae13c307da283d643d978b2b14b82598
Instruction ID: dc3ff82012f5a47dee27f2644c34bc3394c53fcd4e50f02730fd899e635f4594
Opcode Fuzzy Hash: 7ff3b94acb683914f7744dfdf643ef88ae13c307da283d643d978b2b14b82598
Instruction Fuzzy Hash: B0A171B2408301BFD7109F64DC08AAB7BAAFF89321F105B29F962961F1D771D985CB52

Function 00632C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00632CA2
DeleteObject.GDI32(00000000), ref: 00632CE8
DeleteObject.GDI32(00000000), ref: 00632CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00632CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00632D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0066C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0066C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0066CAED

Part of subcall function 00631B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00632036,?,00000000,?,?,?,?,006316CB,00000000,?), ref: 00631B9A

SendMessageW.USER32(?,00001053), ref: 0066CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0066CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0066CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0066CB62

Strings

0, xrefs: 0066C981

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: da1bbbbd31df22bb4fdb485ba3edda0d3b7307a57c2c3db0d40c15eb7b99252f
Instruction ID: b21c33c360564d625bc8c7e0429e8504876525a7476275a8bb4d9d4aa17c12d5
Opcode Fuzzy Hash: da1bbbbd31df22bb4fdb485ba3edda0d3b7307a57c2c3db0d40c15eb7b99252f
Instruction Fuzzy Hash: 87128F30604602EFDB64CF24C895BB9BBE6BF45320F545669F895DB262C731EC82CB91

Function 006A77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006A77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006A78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006A78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006A7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006A7946
GetClientRect.USER32(00000000,?), ref: 006A7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006A7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006A79A5
GetStockObject.GDI32(00000011), ref: 006A79B5
SelectObject.GDI32(00000000,00000000), ref: 006A79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006A79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A79D2
DeleteDC.GDI32(00000000), ref: 006A79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006A7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 006A7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006A7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006A7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 006A7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006A7AAE
GetStockObject.GDI32(00000011), ref: 006A7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006A7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006A7ACE

Strings

static, xrefs: 006A7990, 006A7AA8
msctls_progress32, xrefs: 006A7A4F
DISPLAY, xrefs: 006A799B
AutoIt v3, xrefs: 006A793E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 31227521a55c03c7f02376026626c898de28f4bf7b0f315f4629785b3c660906
Instruction ID: 6dffd1edab1b506036c52ba230a613993e03b5491102fa66808dff2574857eb9
Opcode Fuzzy Hash: 31227521a55c03c7f02376026626c898de28f4bf7b0f315f4629785b3c660906
Instruction Fuzzy Hash: 36A164B1A40215BFEB14DBA8DC4AFAE7BBAEB45714F004214FA15A72E0D774AD40CF64

Function 0069AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0069AF89
GetDriveTypeW.KERNEL32(?,006BFAC0,?,\\.\,006BF910), ref: 0069B066
SetErrorMode.KERNEL32(00000000,006BFAC0,?,\\.\,006BF910), ref: 0069B1C4

Strings

FileBackedVirtual, xrefs: 0069B193
RAMDisk, xrefs: 0069B090
RAID, xrefs: 0069B162
ATAPI, xrefs: 0069B138
CDROM, xrefs: 0069B09A
USB, xrefs: 0069B15B
MMC, xrefs: 0069B185
iSCSI, xrefs: 0069B169
SATA, xrefs: 0069B177
SCSI, xrefs: 0069B131
PhysicalDrive, xrefs: 0069B012
1394, xrefs: 0069B146
Virtual, xrefs: 0069B18C
Network, xrefs: 0069B0A4
SSD, xrefs: 0069B0F1
Unknown, xrefs: 0069B086, 0069B12A
Removable, xrefs: 0069B0B8
SAS, xrefs: 0069B170
Fibre, xrefs: 0069B154
Fixed, xrefs: 0069B0AE
\\.\, xrefs: 0069AFDB
SSA, xrefs: 0069B14D
ATA, xrefs: 0069B13F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ef26cba0e80323a513eda6d61da172b6684911c5248666b52f6e196eb5137514
Instruction ID: b7d85de37f580c96a111bc101553aac5269d436da71894ce7b62b97e0d7c6f2a
Opcode Fuzzy Hash: ef26cba0e80323a513eda6d61da172b6684911c5248666b52f6e196eb5137514
Instruction Fuzzy Hash: BD51F434681345ABCF04DB91EF92DBD73BBEB14341B21501AE40AA7A90C775AD42DB92

Function 00636A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00636A91
__wcsnicmp.LIBCMT ref: 00636AA9
__wcsnicmp.LIBCMT ref: 00636AC1
__wcsnicmp.LIBCMT ref: 00636AD9
__wcsnicmp.LIBCMT ref: 00636AF1
__wcsnicmp.LIBCMT ref: 00636B09
__wcsnicmp.LIBCMT ref: 00636B21
__wcsnicmp.LIBCMT ref: 00636B35
__wcsnicmp.LIBCMT ref: 00636B76
__wcsnicmp.LIBCMT ref: 00636B8A
__wcsnicmp.LIBCMT ref: 00636B9E
__wcsnicmp.LIBCMT ref: 00636BB2

Strings

Bad directive syntax error, xrefs: 0066E743
#pragma compile, xrefs: 00636A8B
#include, xrefs: 00636B03
#include-once, xrefs: 00636AEB
Cannot parse #include, xrefs: 0066E819
#comments-start, xrefs: 00636B1B, 00636B70
Unterminated group of comments, xrefs: 0066E82C
#comments-end, xrefs: 00636B98
#ce, xrefs: 00636BAC
#notrayicon, xrefs: 00636AA3
#requireadmin, xrefs: 00636ABB
#OnAutoItStartRegister, xrefs: 00636AD3
#cs, xrefs: 00636B2F, 00636B84

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 1b139445ed4da15813ec938baf895a61b5370eac8d650a5d502ca6611c314fe8
Instruction ID: e01001177d08ab87a5e670c54aed190f962f8b4aae19aca8b6057b4b5fcebc20
Opcode Fuzzy Hash: 1b139445ed4da15813ec938baf895a61b5370eac8d650a5d502ca6611c314fe8
Instruction Fuzzy Hash: 7E812DB0600255BBCB60AF64CC92FEF775BEF11701F048029FD42AA2D1EB61EA55C6D9

Function 006BAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006BAB99
SetTextColor.GDI32(?,?), ref: 006BAB9D
GetSysColorBrush.USER32(0000000F), ref: 006BABB3
GetSysColor.USER32(0000000F), ref: 006BABBE
CreateSolidBrush.GDI32(?), ref: 006BABC3
GetSysColor.USER32(00000011), ref: 006BABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006BABE9
SelectObject.GDI32(?,00000000), ref: 006BABFA
SetBkColor.GDI32(?,00000000), ref: 006BAC03
SelectObject.GDI32(?,?), ref: 006BAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 006BAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006BAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 006BAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006BACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006BACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 006BACEC
DrawFocusRect.USER32(?,?), ref: 006BACF7
GetSysColor.USER32(00000011), ref: 006BAD05
SetTextColor.GDI32(?,00000000), ref: 006BAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006BAD21
SelectObject.GDI32(?,006BA869), ref: 006BAD38
DeleteObject.GDI32(?), ref: 006BAD43
SelectObject.GDI32(?,?), ref: 006BAD49
DeleteObject.GDI32(?), ref: 006BAD4E
SetTextColor.GDI32(?,?), ref: 006BAD54
SetBkColor.GDI32(?,?), ref: 006BAD5E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8a28d270ad18978f0b0cf3a18d2d25efbb43a6c4b6c2347b4ea3491308373e46
Instruction ID: 892856e92247133855dea4d9af7fccd3b149a0dfe49d848e528ecdfd9c05d388
Opcode Fuzzy Hash: 8a28d270ad18978f0b0cf3a18d2d25efbb43a6c4b6c2347b4ea3491308373e46
Instruction Fuzzy Hash: EC611FB1900218FFDB119FA8DC48EEE7B7AEB08320F105625F915AB2A1D7759D80DF90

Function 006B8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006B8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B8D45
CharNextW.USER32(0000014E), ref: 006B8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006B8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006B8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006B8DF9
SetWindowTextW.USER32(?,0000014E), ref: 006B8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006B8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 006B8E8C
_memset.LIBCMT ref: 006B8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006B8EFA
_memset.LIBCMT ref: 006B8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 006B8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 006B8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 006B9088
InvalidateRect.USER32(?,00000000,00000001), ref: 006B90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B9121
DrawMenuBar.USER32(?), ref: 006B9130
SetWindowTextW.USER32(?,0000014E), ref: 006B9158

Strings

0, xrefs: 006B90C2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 752f25d6f3b073b49626919450270381de0c7804aae51d9841a84f1cc459c2a1
Instruction ID: 264b77146da49a658644150452804b1e1370a4922a21d070c3e9551bf4a68b0c
Opcode Fuzzy Hash: 752f25d6f3b073b49626919450270381de0c7804aae51d9841a84f1cc459c2a1
Instruction Fuzzy Hash: 98E160B5900219AEDF209F64CC84EEE7B7EEF05710F10815AF915AB2A0DB749AC5DF60

Function 006B4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006B4C51
GetDesktopWindow.USER32 ref: 006B4C66
GetWindowRect.USER32(00000000), ref: 006B4C6D
GetWindowLongW.USER32(?,000000F0), ref: 006B4CCF
DestroyWindow.USER32(?), ref: 006B4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006B4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006B4D68
SendMessageW.USER32(?,00000421,?,?), ref: 006B4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006B4D90
IsWindowVisible.USER32(?), ref: 006B4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006B4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006B4DDF
GetWindowRect.USER32(?,?), ref: 006B4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 006B4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 006B4E37
CopyRect.USER32(?,?), ref: 006B4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 006B4EB9

Strings

(, xrefs: 006B4E2A
tooltips_class32, xrefs: 006B4D1D
0, xrefs: 006B4BFC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f24583f911c35d468b1613f42f1e74f43511656e1ee7741c5c4e84fe179f10cc
Instruction ID: 91c3ac9c21af5ed6020574a09bb99caa30d5ab8a4c45765eb05986dabad168d9
Opcode Fuzzy Hash: f24583f911c35d468b1613f42f1e74f43511656e1ee7741c5c4e84fe179f10cc
Instruction Fuzzy Hash: B3B19FB1604340AFDB44DF24C845B9ABBE6FF84714F008A1CF5999B2A2DB71EC45CB95

Function 006327D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006328BC
GetSystemMetrics.USER32(00000007), ref: 006328C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006328EF
GetSystemMetrics.USER32(00000008), ref: 006328F7
GetSystemMetrics.USER32(00000004), ref: 0063291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00632939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00632949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0063297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00632990
GetClientRect.USER32(00000000,000000FF), ref: 006329AE
GetStockObject.GDI32(00000011), ref: 006329CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006329D5

Part of subcall function 00632344: GetCursorPos.USER32(?), ref: 00632357
Part of subcall function 00632344: ScreenToClient.USER32(006F67B0,?), ref: 00632374
Part of subcall function 00632344: GetAsyncKeyState.USER32(00000001), ref: 00632399
Part of subcall function 00632344: GetAsyncKeyState.USER32(00000002), ref: 006323A7

SetTimer.USER32(00000000,00000000,00000028,00631256), ref: 006329FC

Strings

AutoIt v3 GUI, xrefs: 00632974

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9a388e58a40a2d6e68a642b9b2d5378cb892f03b52f2e0612aeaf04464a85742
Instruction ID: a9a82fa6bc22e2ed565b24f21e9fc0ab7ceae9720613832461469c09fba0790b
Opcode Fuzzy Hash: 9a388e58a40a2d6e68a642b9b2d5378cb892f03b52f2e0612aeaf04464a85742
Instruction Fuzzy Hash: 00B14F7160020AEFDB14DF68DC55BEE7BB6FB08315F109229FA15A73A0DB74A941CB90

Function 006B4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006B40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006B41B6

Strings

FINDITEM, xrefs: 006B4329
ISSELECTED, xrefs: 006B41C1
DESELECT, xrefs: 006B42A4
GETSELECTED, xrefs: 006B42E4
SELECTINVERT, xrefs: 006B4286
SELECT, xrefs: 006B4250
GETSUBITEMCOUNT, xrefs: 006B4141
GETITEMCOUNT, xrefs: 006B4128
SELECTCLEAR, xrefs: 006B4235
SELECTALL, xrefs: 006B421D
GETTEXT, xrefs: 006B415F
GETSELECTEDCOUNT, xrefs: 006B4199
VIEWCHANGE, xrefs: 006B4375

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: cf146afaf8052418f05bbfcfeaffbfd2625f15488356ad9f08d4f89165a5dc99
Instruction ID: f5a749abaef82cad2c472ae76420373ad4981b8898bae2141462761230cdc05f
Opcode Fuzzy Hash: cf146afaf8052418f05bbfcfeaffbfd2625f15488356ad9f08d4f89165a5dc99
Instruction Fuzzy Hash: 78A1BD702143029BCB54EF24C941AAAB7E7AF84314F144A6CB8969B393DF30ED46CB95

Function 006A52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 006A5309
LoadCursorW.USER32(00000000,00007F8A), ref: 006A5314
LoadCursorW.USER32(00000000,00007F00), ref: 006A531F
LoadCursorW.USER32(00000000,00007F03), ref: 006A532A
LoadCursorW.USER32(00000000,00007F8B), ref: 006A5335
LoadCursorW.USER32(00000000,00007F01), ref: 006A5340
LoadCursorW.USER32(00000000,00007F81), ref: 006A534B
LoadCursorW.USER32(00000000,00007F88), ref: 006A5356
LoadCursorW.USER32(00000000,00007F80), ref: 006A5361
LoadCursorW.USER32(00000000,00007F86), ref: 006A536C
LoadCursorW.USER32(00000000,00007F83), ref: 006A5377
LoadCursorW.USER32(00000000,00007F85), ref: 006A5382
LoadCursorW.USER32(00000000,00007F82), ref: 006A538D
LoadCursorW.USER32(00000000,00007F84), ref: 006A5398
LoadCursorW.USER32(00000000,00007F04), ref: 006A53A3
LoadCursorW.USER32(00000000,00007F02), ref: 006A53AE
GetCursorInfo.USER32(?), ref: 006A53BE
GetLastError.KERNEL32(00000001,00000000), ref: 006A53E9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 440cabb714ddc4df603ef460ceda0d0d6cb2744eb5de2e7efd539fa7d79f01ac
Instruction ID: d0467c9ab6af282c33bed34f02788ae94886593257a40d2443afee857f0dd3d6
Opcode Fuzzy Hash: 440cabb714ddc4df603ef460ceda0d0d6cb2744eb5de2e7efd539fa7d79f01ac
Instruction Fuzzy Hash: C2417470E043196ADB109FBA8C4986EFFF9EF55B10B10452FB509E7291DAB89801CF61

Function 0068AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0068AAA5
__swprintf.LIBCMT ref: 0068AB46
_wcscmp.LIBCMT ref: 0068AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0068ABAE
_wcscmp.LIBCMT ref: 0068ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0068AC21
GetDlgCtrlID.USER32(?), ref: 0068AC73
GetWindowRect.USER32(?,?), ref: 0068ACA9
GetParent.USER32(?), ref: 0068ACC7
ScreenToClient.USER32(00000000), ref: 0068ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0068AD48
_wcscmp.LIBCMT ref: 0068AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0068AD82
_wcscmp.LIBCMT ref: 0068AD96

Part of subcall function 0065386C: _iswctype.LIBCMT ref: 00653874

Strings

%s%u, xrefs: 0068AB40

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: cd8ef11a377b396d24d5dc950e530cc6ffe4b131f518e3eb6cb8ec370880cd16
Instruction ID: 5aa37c0c13dfaf0441dcd5a08334f16df56bb1b332c39ac7bb50d707e3fb1178
Opcode Fuzzy Hash: cd8ef11a377b396d24d5dc950e530cc6ffe4b131f518e3eb6cb8ec370880cd16
Instruction Fuzzy Hash: 3EA1B071204206AFE714EFA4C884BEAB7AAFF04355F10472EFD99D2650DB30E955CB92

Function 0068B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0068B3DB
_wcscmp.LIBCMT ref: 0068B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0068B414
CharUpperBuffW.USER32(?,00000000), ref: 0068B431
_wcscmp.LIBCMT ref: 0068B44F
_wcsstr.LIBCMT ref: 0068B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0068B498
_wcscmp.LIBCMT ref: 0068B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0068B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0068B518
_wcscmp.LIBCMT ref: 0068B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0068B550
GetWindowRect.USER32(00000004,?), ref: 0068B5B9

Strings

@, xrefs: 0068B3BC
ThumbnailClass, xrefs: 0068B4A3, 0068B523

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 3a4e16f07ee7d6440bc102e7902f08a284f27ffaee811defa17dbca3030580f6
Instruction ID: a36986af9e66371e00e2700b061876f5a363c9dfb707939b87cd1c797fa2fe5c
Opcode Fuzzy Hash: 3a4e16f07ee7d6440bc102e7902f08a284f27ffaee811defa17dbca3030580f6
Instruction Fuzzy Hash: F181B4710043059BDB14EF10C885FAA77EAFF44714F04A66DFD859A2A6EB30DD89CBA1

Function 006BC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

DragQueryPoint.SHELL32(?,?), ref: 006BC917

Part of subcall function 006BADF1: ClientToScreen.USER32(?,?), ref: 006BAE1A
Part of subcall function 006BADF1: GetWindowRect.USER32(?,?), ref: 006BAE90
Part of subcall function 006BADF1: PtInRect.USER32(?,?,006BC304), ref: 006BAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 006BC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006BC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006BC9AE
_wcscat.LIBCMT ref: 006BC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006BC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 006BCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 006BCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 006BCA47
DragFinish.SHELL32(?), ref: 006BCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006BCB41

Strings

@GUI_DROPID, xrefs: 006BCA6E
pro, xrefs: 006BCA8B
@GUI_DRAGFILE, xrefs: 006BCAF0
@GUI_DRAGID, xrefs: 006BCAB9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pro
API String ID: 169749273-249838721
Opcode ID: 93fcf783bc39eaf5fe3a952dc355873a4d2eb84a231a5a0e392d22912b733834
Instruction ID: e8260335d23ba48a890cc92a26a57728de8df4e436f6a22cebde87d779ff4db9
Opcode Fuzzy Hash: 93fcf783bc39eaf5fe3a952dc355873a4d2eb84a231a5a0e392d22912b733834
Instruction Fuzzy Hash: 95614FB1108301AFC711EF55DC85D9FBBEAEF89710F000A1EF592971A1DB709A49CBA6

Function 0068B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0068B23F

Strings

ACTIVE, xrefs: 0068B21A
[ALL, xrefs: 0068B2E5
[ACTIVE, xrefs: 0068B22C
[CLASS:, xrefs: 0068B28F
HANDLE=, xrefs: 0068B238
CLASSNAME=, xrefs: 0068B27C
[REGEXPTITLE:, xrefs: 0068B267
REGEXP=, xrefs: 0068B254
ALL, xrefs: 0068B2D3
[LAST, xrefs: 0068B2EC
[HANDLE:, xrefs: 0068B24B
LAST, xrefs: 0068B204

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 6149aa54bf37d4c0684fe688570ccdcc64786b5b3d577501f372d57582664d93
Instruction ID: 9977631bbb5b3ffa1970c6e1c611a0942bb54c1ee034a4c857583d61eb8649e5
Opcode Fuzzy Hash: 6149aa54bf37d4c0684fe688570ccdcc64786b5b3d577501f372d57582664d93
Instruction Fuzzy Hash: C2318D71A44345A6DF60FA61CD53EEE77A79F20B91F60022DB801721D2EF616F08C6A9

Function 0068C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0068C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0068C4E6
SetWindowTextW.USER32(?,?), ref: 0068C4FD
GetDlgItem.USER32(?,000003EA), ref: 0068C512
SetWindowTextW.USER32(00000000,?), ref: 0068C518
GetDlgItem.USER32(?,000003E9), ref: 0068C528
SetWindowTextW.USER32(00000000,?), ref: 0068C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0068C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0068C569
GetWindowRect.USER32(?,?), ref: 0068C572
SetWindowTextW.USER32(?,?), ref: 0068C5DD
GetDesktopWindow.USER32 ref: 0068C5E3
GetWindowRect.USER32(00000000), ref: 0068C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0068C636
GetClientRect.USER32(?,?), ref: 0068C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0068C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0068C693

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 6ee222063e228da62c7a4ef55216f6f5b3eecb8f62415c465eab7228dac7708b
Instruction ID: 189047e9efffb2b5db95bd332d580def475b206b799bf71d017a937bb2770827
Opcode Fuzzy Hash: 6ee222063e228da62c7a4ef55216f6f5b3eecb8f62415c465eab7228dac7708b
Instruction Fuzzy Hash: 6A517370900709AFDB20EFA8DD85BAEBBF6FF04715F004629E646A26A0D774E954CB50

Function 006BA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006BA4C8
DestroyWindow.USER32(?,?), ref: 006BA542

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006BA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006BA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006BA5F1
DestroyWindow.USER32(00000000), ref: 006BA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00630000,00000000), ref: 006BA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006BA663
GetDesktopWindow.USER32 ref: 006BA67C
GetWindowRect.USER32(00000000), ref: 006BA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006BA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006BA6B3

Part of subcall function 006325DB: GetWindowLongW.USER32(?,000000EB), ref: 006325EC

Strings

0, xrefs: 006BA4DE
tooltips_class32, xrefs: 006BA5B5, 006BA643

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 21e15f3819319703a1d798420c8484b4bcbe5fd6f9781ced8ce9c200d3f66681
Instruction ID: 04ae4901d3d31c1c0b9463c902c679ec43c5e8402aaa1f4bf7dfe308b98f2356
Opcode Fuzzy Hash: 21e15f3819319703a1d798420c8484b4bcbe5fd6f9781ced8ce9c200d3f66681
Instruction Fuzzy Hash: 75719CB1140205AFD720CF68CC45FAA7BE7EB88300F48462DF995873A0E771E982CB56

Function 006B4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006B46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B46F6

Strings

GETITEMCOUNT, xrefs: 006B47D8
EXISTS, xrefs: 006B475F
EXPAND, xrefs: 006B47A8
GETSELECTED, xrefs: 006B4806
UNCHECK, xrefs: 006B48D2
SELECT, xrefs: 006B48A7
GETTEXT, xrefs: 006B4849
COLLAPSE, xrefs: 006B473C
CHECK, xrefs: 006B4716
GETTOTALCOUNT, xrefs: 006B46DD
ISCHECKED, xrefs: 006B4879

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5db311306bbba3730a7d6ac409e12ee9c5c03c0886ace7744d78f72548e21fca
Instruction ID: 10e57add16abf16c45420889574d1c404ac515f823a71a64648b9791eaa77e48
Opcode Fuzzy Hash: 5db311306bbba3730a7d6ac409e12ee9c5c03c0886ace7744d78f72548e21fca
Instruction Fuzzy Hash: 13917FB42043029FCB54EF14C851AAABBA3AF44314F04496DF8965B3A3DF70ED4ACB95

Function 006BBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006BBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006B9431), ref: 006BBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006BBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006BBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006BBC7D
FreeLibrary.KERNEL32(?), ref: 006BBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006BBC99
DestroyIcon.USER32(?,?,?,?,?,006B9431), ref: 006BBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006BBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006BBCD1

Part of subcall function 0065313D: __wcsicmp_l.LIBCMT ref: 006531C6

Strings

.dll, xrefs: 006BBB27
.exe, xrefs: 006BBB04
.icl, xrefs: 006BBAE4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8c30067996796540db301afa2bf83cd65fc9cfe02c2b051c69c98903b85d4a62
Instruction ID: 694ba54eec3d8983774c80a2d10f3da4cac24acb3ed4af62111d67a4511b945a
Opcode Fuzzy Hash: 8c30067996796540db301afa2bf83cd65fc9cfe02c2b051c69c98903b85d4a62
Instruction Fuzzy Hash: 5C61DFB1500219BAEB14DF64CC46FFE7BAAFB08711F105219F915D62D1DFB4A984CBA0

Function 0069A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,006BFB78), ref: 0069A0FC

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0069A11E
__swprintf.LIBCMT ref: 0069A177
__swprintf.LIBCMT ref: 0069A190
_wprintf.LIBCMT ref: 0069A246
_wprintf.LIBCMT ref: 0069A264

Strings

Line %d (File "%s"):, xrefs: 0069A171, 0069A18A
"%s" (%d) : ==> %s:, xrefs: 0069A25F
Error: , xrefs: 0069A20E
^ ERROR, xrefs: 0069A1E8
%l, xrefs: 0069A0C9
"%s" (%d) : ==> %s:%s%s, xrefs: 0069A241

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%l
API String ID: 311963372-566744014
Opcode ID: 61652a60263de2ba930f4b00b75fe63ff0b2381bb2a2fde5075998aa789f3b98
Instruction ID: 57dc7f383212c76e6a4b27b421cc39c81a7e7103307a7fd31648a117e406832c
Opcode Fuzzy Hash: 61652a60263de2ba930f4b00b75fe63ff0b2381bb2a2fde5075998aa789f3b98
Instruction Fuzzy Hash: 21516F71904209BACF65EBE0CD86EEEB7BBAF04304F140169F505721A1EB316F58DBA5

Function 0069A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

CharLowerBuffW.USER32(?,?), ref: 0069A636
GetDriveTypeW.KERNEL32 ref: 0069A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069A730

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Strings

close, xrefs: 0069A63C
set cd door , xrefs: 0069A6D1
closed, xrefs: 0069A64A, 0069A653
open, xrefs: 0069A65D
wait, xrefs: 0069A6ED
close cd wait, xrefs: 0069A71B
type cdaudio alias cd wait, xrefs: 0069A6AE
open , xrefs: 0069A692

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 458bfb8bc1e102d19ad610e3d7289ef28af2e5c0f246afb7759f381b689cf076
Instruction ID: afe3b116a1c3dfc790e0f5c186e194148c443a876d47fc7d75571a16815261a9
Opcode Fuzzy Hash: 458bfb8bc1e102d19ad610e3d7289ef28af2e5c0f246afb7759f381b689cf076
Instruction Fuzzy Hash: CD516BB51043059FC750EF65C98186AB7FAFF84718F04496CF896972A1DB31EE0ACB92

Function 0069A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0069A47A
__swprintf.LIBCMT ref: 0069A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0069A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0069A4FE
_memset.LIBCMT ref: 0069A51D
_wcsncpy.LIBCMT ref: 0069A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0069A58E
CloseHandle.KERNEL32(00000000), ref: 0069A599
RemoveDirectoryW.KERNEL32(?), ref: 0069A5A2
CloseHandle.KERNEL32(00000000), ref: 0069A5AC

Strings

\??\%s, xrefs: 0069A496
:, xrefs: 0069A4BD
\, xrefs: 0069A4B2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 737c02ce479e0fed3bda6771e5cd8d64fb86c3a41834fb1bca2bbe5c4945f994
Instruction ID: cadbaa99875cb6d36f3436a8ecf1e14d58a61083bd174fe2aa9f566f8311a929
Opcode Fuzzy Hash: 737c02ce479e0fed3bda6771e5cd8d64fb86c3a41834fb1bca2bbe5c4945f994
Instruction Fuzzy Hash: 8B3192B5600219ABDB21DFA0DC49FEB73BEEF89701F1041B6FA08D6160E77097848B65

Function 0066AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0066AB7B
___wtomb_environ.LIBCMT ref: 0066AB9D

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

__malloc_crt.LIBCMT ref: 0066ABC5
__malloc_crt.LIBCMT ref: 0066ABE2
_free.LIBCMT ref: 0066AC19
__recalloc_crt.LIBCMT ref: 0066AC52
__recalloc_crt.LIBCMT ref: 0066AC97
_strlen.LIBCMT ref: 0066ACC3
__calloc_crt.LIBCMT ref: 0066ACCD
_strlen.LIBCMT ref: 0066ACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0066AD0A
_free.LIBCMT ref: 0066AD24
_free.LIBCMT ref: 0066AD31
_free.LIBCMT ref: 0066AD43
__invoke_watson.LIBCMT ref: 0066AD5D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: 21fe64b943cd019705ebf1268718ddf450c05e3f3586dc66f03b78abacd5eaa5
Instruction ID: ba953d90ab736d5661329871637afd14bd3ffb3fcd7d1fa94fa673ebef3b9926
Opcode Fuzzy Hash: 21fe64b943cd019705ebf1268718ddf450c05e3f3586dc66f03b78abacd5eaa5
Instruction Fuzzy Hash: 2861E572500205AFDB209FA4D842BBA77ABEF11722F144259E801BB791DF35DD81CFA6

Function 0069DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0069DC7B
_wcscat.LIBCMT ref: 0069DC93
_wcscat.LIBCMT ref: 0069DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0069DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0069DCCE
GetFileAttributesW.KERNEL32(?), ref: 0069DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0069DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0069DD12

Strings

*.*, xrefs: 0069DD51

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: affe59a0abf16e3865dba0e0aa1af5802095797ac366117c7a2ae8f004405b55
Instruction ID: 9b8a419856768a6f4e3ea124a708d8fac23e2b6ee042dcbda6ed19ddd1f7c127
Opcode Fuzzy Hash: affe59a0abf16e3865dba0e0aa1af5802095797ac366117c7a2ae8f004405b55
Instruction Fuzzy Hash: 3481B1B15042019FCF64EF28C8459AEB7EEBF88310F19883EF889C7650E670D945CB92

Function 006BC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006BC4EC
GetFocus.USER32 ref: 006BC4FC
GetDlgCtrlID.USER32(00000000), ref: 006BC507
_memset.LIBCMT ref: 006BC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006BC65D
GetMenuItemCount.USER32(?), ref: 006BC67D
GetMenuItemID.USER32(?,00000000), ref: 006BC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006BC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006BC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006BC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006BC779

Strings

0, xrefs: 006BC62A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 3b46f56bbc07ebf874c8cb4daaf2d9d853c6539092d9fe55987880fd13635fc8
Instruction ID: 116e3d04e065c86b002163198231cb0dfc4279200dcf6c3d7f144a31344865c5
Opcode Fuzzy Hash: 3b46f56bbc07ebf874c8cb4daaf2d9d853c6539092d9fe55987880fd13635fc8
Instruction Fuzzy Hash: BC8160B15043019FD720DF14C984EEBBBEAFB88364F10452DF99597291DB70EA85CBA2

Function 006883F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0068874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688766
Part of subcall function 0068874A: GetLastError.KERNEL32(?,0068822A,?,?,?), ref: 00688770
Part of subcall function 0068874A: GetProcessHeap.KERNEL32(00000008,?,?,0068822A,?,?,?), ref: 0068877F
Part of subcall function 0068874A: HeapAlloc.KERNEL32(00000000,?,0068822A,?,?,?), ref: 00688786
Part of subcall function 0068874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068879D

Part of subcall function 006887E7: GetProcessHeap.KERNEL32(00000008,00688240,00000000,00000000,?,00688240,?), ref: 006887F3
Part of subcall function 006887E7: HeapAlloc.KERNEL32(00000000,?,00688240,?), ref: 006887FA
Part of subcall function 006887E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00688240,?), ref: 0068880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00688458
_memset.LIBCMT ref: 0068846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0068848C
GetLengthSid.ADVAPI32(?), ref: 0068849D
GetAce.ADVAPI32(?,00000000,?), ref: 006884DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006884F6
GetLengthSid.ADVAPI32(?), ref: 00688513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00688522
HeapAlloc.KERNEL32(00000000), ref: 00688529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0068854A
CopySid.ADVAPI32(00000000), ref: 00688551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00688582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006885A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006885BC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5e799db09cb43f0553820a42ceeafa17d41ad1b0ed55f65b64c57e4ad5a9330d
Instruction ID: 775813c0c587b6deff9614ba973635359c76ac9d1c96973828a2ec92521903f7
Opcode Fuzzy Hash: 5e799db09cb43f0553820a42ceeafa17d41ad1b0ed55f65b64c57e4ad5a9330d
Instruction Fuzzy Hash: 9D613F7190020AAFDF10EF94DC45AEEBBBAFF04300F548269F915A72A1DB359A45CF60

Function 006A762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006A76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006A76AE
CreateCompatibleDC.GDI32(?), ref: 006A76BA
SelectObject.GDI32(00000000,?), ref: 006A76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006A771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006A7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006A777B
SelectObject.GDI32(00000006,?), ref: 006A7783
DeleteObject.GDI32(?), ref: 006A778C
DeleteDC.GDI32(00000006), ref: 006A7793
ReleaseDC.USER32(00000000,?), ref: 006A779E

Strings

(, xrefs: 006A7723

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1d414ab8b853f81c50887925a0f56091da2a851f23287d12ce000fcafbaba768
Instruction ID: 46bef6e18045fa84e7049890eeb02f1e95e6ef7c7d068ed1d45c1391e320a18a
Opcode Fuzzy Hash: 1d414ab8b853f81c50887925a0f56091da2a851f23287d12ce000fcafbaba768
Instruction Fuzzy Hash: 32513AB5904209EFCB15DFA8CC85EAEBBBAEF49310F14852DF94997220D631AD418F60

Function 00636BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00650B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00636C6C,?,00008000), ref: 00650BB7

Part of subcall function 006348AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006348A1,?,?,006337C0,?), ref: 006348CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00636D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00636E5A

Part of subcall function 006359CD: _wcscpy.LIBCMT ref: 00635A05

Part of subcall function 0065387D: _iswctype.LIBCMT ref: 00653885

Strings

Bad directive syntax error, xrefs: 0066EBC6
EA06, xrefs: 0066E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0066E84A
Unterminated string, xrefs: 0066EC0D
>>>AUTOIT SCRIPT<<<, xrefs: 0066E8BF
AU3!, xrefs: 00636CC1
Error opening the file, xrefs: 0066E866, 0066E8E1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 66230c3be5fcd39e18a148d4f80d448a87ed68b09c6ae2a466da5cf82d27d8fd
Instruction ID: 255fc28e8a7bc786f87a7df094a993313a30c1e989f959ee0d842d2195eeb986
Opcode Fuzzy Hash: 66230c3be5fcd39e18a148d4f80d448a87ed68b09c6ae2a466da5cf82d27d8fd
Instruction Fuzzy Hash: 4802AD751083419FC764EF24C881AAFBBE6FF99314F04491DF486972A1DB31EA49CB86

Function 006345DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006345F9
GetMenuItemCount.USER32(006F6890), ref: 0066D7CD
GetMenuItemCount.USER32(006F6890), ref: 0066D87D
GetCursorPos.USER32(?), ref: 0066D8C1
SetForegroundWindow.USER32(00000000), ref: 0066D8CA
TrackPopupMenuEx.USER32(006F6890,00000000,?,00000000,00000000,00000000), ref: 0066D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0066D8E9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 17a32c2486ebb5934bb15c85d55eafbd19c607ed347b0316017c8b4756e3fea4
Instruction ID: 1d7e2a28e299f9407fac5cd18f430863fac041c23bc0ac78ce67ef1cabde8307
Opcode Fuzzy Hash: 17a32c2486ebb5934bb15c85d55eafbd19c607ed347b0316017c8b4756e3fea4
Instruction Fuzzy Hash: 6371E471B40205BBEB219F24DC49FEAFF6AFF05364F20021AF514A62E1CBB16850DB95

Function 006A8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A8BEC
CoInitialize.OLE32(00000000), ref: 006A8C19
CoUninitialize.OLE32 ref: 006A8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 006A8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 006A8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006C2C0C), ref: 006A8E84
CoGetObject.OLE32(?,00000000,006C2C0C,?), ref: 006A8EA7
SetErrorMode.KERNEL32(00000000), ref: 006A8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006A8F3A
VariantClear.OLEAUT32(?), ref: 006A8F4A

Strings

,,l, xrefs: 006A8BD6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,l
API String ID: 2395222682-3005423691
Opcode ID: 31942c878c52578ed35ab4bb915f3bfd824206d98ef16482e1f9bf864db5f1cd
Instruction ID: 3946121d966a675c27ef36aeb5760dbad9370f83fae53e848c351641796564b9
Opcode Fuzzy Hash: 31942c878c52578ed35ab4bb915f3bfd824206d98ef16482e1f9bf864db5f1cd
Instruction Fuzzy Hash: 1EC134B1604305AFD700EF28C88496AB7EAFF89348F10495DF58A9B261DB71ED45CF62

Function 006B10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B0038,?,?), ref: 006B10BC

Strings

HKCR, xrefs: 006B1164
HKCU, xrefs: 006B11AC
HKEY_CURRENT_USER, xrefs: 006B119B
HKEY_CURRENT_CONFIG, xrefs: 006B1179
HKEY_USERS, xrefs: 006B11BD
HKEY_CLASSES_ROOT, xrefs: 006B114F
HKLM, xrefs: 006B113A
HKEY_LOCAL_MACHINE, xrefs: 006B1125
HKCC, xrefs: 006B118A
HKU, xrefs: 006B11CE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: f66ce4044db64aeda1f26658de0faa43cfd0ba04d042ef583ce516bcc9f67e7b
Instruction ID: 257ef7849b0709a69b8519167f116cf11867fe9f150916dad75b18dc3e709f2d
Opcode Fuzzy Hash: f66ce4044db64aeda1f26658de0faa43cfd0ba04d042ef583ce516bcc9f67e7b
Instruction Fuzzy Hash: FA417EB011128B9BDF50EF94DDA1AEB3727AF12310F904558EC915B291DB31EA9ACB90

Function 00695569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Part of subcall function 00637A84: _memmove.LIBCMT ref: 00637B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006955D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006955E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006955F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0069560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0069561C

Strings

close PlayMe, xrefs: 006955E3, 00695610
play PlayMe, xrefs: 00695617
play PlayMe wait, xrefs: 00695606
alias PlayMe, xrefs: 006955AB
open , xrefs: 00695581
status PlayMe mode, xrefs: 006955CD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a11b4e2f95fb16467b6d1268adf811393abaa8543bcb3a9aec879170503f5131
Instruction ID: d3cb669e80b2a3d7a5066e8a964173c9ef7c5e048f26a2975e2c7c376aad9538
Opcode Fuzzy Hash: a11b4e2f95fb16467b6d1268adf811393abaa8543bcb3a9aec879170503f5131
Instruction Fuzzy Hash: 451182709512A979DB20B6A6CC8ADFF7F7EEF91B00F410469B402E20D1DE601D05CAE5

Function 006948F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0069490E
gethostname.WSOCK32(?,00000100), ref: 00694928
gethostbyname.WSOCK32(?), ref: 00694935
_wcscpy.LIBCMT ref: 0069495D
_memmove.LIBCMT ref: 00694970
inet_ntoa.WSOCK32(?), ref: 0069497B
_strcat.LIBCMT ref: 00694989
_wcscpy.LIBCMT ref: 006949A0
WSACleanup.WSOCK32 ref: 006949AE
_wcscpy.LIBCMT ref: 006949BC

Strings

0.0.0.0, xrefs: 00694957

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: da4480433d13f79c3b6f448ed3102bfd15bb14e0315903335c26d5319f890651
Instruction ID: 772df5b1ba0cc8962b19a8c5589174d8c53ae1f29716de44ebc23f3036c2dad8
Opcode Fuzzy Hash: da4480433d13f79c3b6f448ed3102bfd15bb14e0315903335c26d5319f890651
Instruction Fuzzy Hash: A911E772904125ABCF20EB64EC46EDB77BEDF01721F0402B9F809961A1EF719AC6C755

Function 00695217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0069521C

Part of subcall function 00650719: timeGetTime.WINMM(?,75C0B400,00640FF9), ref: 0065071D

Sleep.KERNEL32(0000000A), ref: 00695248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0069526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0069528E
SetActiveWindow.USER32 ref: 006952AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006952BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 006952DA
Sleep.KERNEL32(000000FA), ref: 006952E5
IsWindow.USER32 ref: 006952F1
EndDialog.USER32(00000000), ref: 00695302

Strings

BUTTON, xrefs: 00695280

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ddca8b9ceaf4192a48dfb2ac92b92e169f46aad410dbc751a6bedd622770ae54
Instruction ID: 8a49ad9aeeb82acf3b9e81d628cb81f7d8070f5555f99df1a18b3416d9593e15
Opcode Fuzzy Hash: ddca8b9ceaf4192a48dfb2ac92b92e169f46aad410dbc751a6bedd622770ae54
Instruction Fuzzy Hash: A521A1B0204704AFEB025F70ED89A763B6FEB55346F003539F402816B1EBA19E80CB21

Function 0069D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

CoInitialize.OLE32(00000000), ref: 0069D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0069D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0069D8FC
CoCreateInstance.OLE32(006C2D7C,00000000,00000001,006EA89C,?), ref: 0069D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0069D9B7
CoTaskMemFree.OLE32(?,?), ref: 0069DA0F
_memset.LIBCMT ref: 0069DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0069DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0069DAAB
CoTaskMemFree.OLE32(00000000), ref: 0069DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0069DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0069DAEB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b7f737f9131db4908ec22a62180d8d6b97faf6a487ad6ba6bbd6834ddabd01b9
Instruction ID: 6b13571a724235f4bbc31a75963b8498c3aa5973f9b2989fa4988b998d956394
Opcode Fuzzy Hash: b7f737f9131db4908ec22a62180d8d6b97faf6a487ad6ba6bbd6834ddabd01b9
Instruction Fuzzy Hash: 1EB1FC75A00109AFDB44DF64C984DAEBBFAEF48314F048569F50AEB261DB30ED45CB54

Function 0069052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006905A7
SetKeyboardState.USER32(?), ref: 00690612
GetAsyncKeyState.USER32(000000A0), ref: 00690632
GetKeyState.USER32(000000A0), ref: 00690649
GetAsyncKeyState.USER32(000000A1), ref: 00690678
GetKeyState.USER32(000000A1), ref: 00690689
GetAsyncKeyState.USER32(00000011), ref: 006906B5
GetKeyState.USER32(00000011), ref: 006906C3
GetAsyncKeyState.USER32(00000012), ref: 006906EC
GetKeyState.USER32(00000012), ref: 006906FA
GetAsyncKeyState.USER32(0000005B), ref: 00690723
GetKeyState.USER32(0000005B), ref: 00690731

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 80b237055b80151a85660acc57b7b01de8891c994ad65a060933787780f00b89
Instruction ID: 5f5bcf1fcb5134dd1c299cfc99c240602ced8d6131de54e1180d5ad67f3f3a7b
Opcode Fuzzy Hash: 80b237055b80151a85660acc57b7b01de8891c994ad65a060933787780f00b89
Instruction Fuzzy Hash: 8051EC70A047842DFF34DBA089547EABFBE9F12340F08459DD5C25AAC2DA549B8CCB65

Function 0068C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0068C746
GetWindowRect.USER32(00000000,?), ref: 0068C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0068C7B6
GetDlgItem.USER32(?,00000002), ref: 0068C7C1
GetWindowRect.USER32(00000000,?), ref: 0068C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0068C827
GetDlgItem.USER32(?,000003E9), ref: 0068C835
GetWindowRect.USER32(00000000,?), ref: 0068C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0068C889
GetDlgItem.USER32(?,000003EA), ref: 0068C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0068C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0068C8C1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 24c2cdd5a9664ccb27f5b5d23883ca441f3ea2f2a8a511c855a57a770892bc88
Instruction ID: 3162d89eca219b8bdc3c9d5f6f103f36d6995b3508ff4b5407fcda0bc109cbba
Opcode Fuzzy Hash: 24c2cdd5a9664ccb27f5b5d23883ca441f3ea2f2a8a511c855a57a770892bc88
Instruction Fuzzy Hash: 9D5132B1B00205AFDB18DF69DD95AAEBBB6EB88310F14823DF515D72A0D7709D408B50

Function 0063201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00631B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00632036,?,00000000,?,?,?,?,006316CB,00000000,?), ref: 00631B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006320D3
KillTimer.USER32(-00000001,?,?,?,?,006316CB,00000000,?,?,00631AE2,?,?), ref: 0063216E
DestroyAcceleratorTable.USER32(00000000), ref: 0066BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006316CB,00000000,?,?,00631AE2,?,?), ref: 0066BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006316CB,00000000,?,?,00631AE2,?,?), ref: 0066BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006316CB,00000000,?,?,00631AE2,?,?), ref: 0066BF5A
DeleteObject.GDI32(00000000), ref: 0066BF6C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 71a8ffc57a934ba57d0ec1c7a5b3bee1454f75a374bcb97112b7d02fc79d46b9
Instruction ID: c9ddbbd709f952c27e04666ba2e16881b6f274231b17110a3bda9052dd1e8a42
Opcode Fuzzy Hash: 71a8ffc57a934ba57d0ec1c7a5b3bee1454f75a374bcb97112b7d02fc79d46b9
Instruction Fuzzy Hash: 43615931500611EFCB39AF14DD68B6AB7F3FB40316F10A52DE55286A70C771A895DF90

Function 006321A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006325DB: GetWindowLongW.USER32(?,000000EB), ref: 006325EC

GetSysColor.USER32(0000000F), ref: 006321D3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5f01808c10af3aa4164876754f3f8dd90b42411c18ec2463aaaa54b952b9fbf2
Instruction ID: 8f65b0aa44057ac54bc78dada48cd50ce02786cc963511b27f734ac5095c5d6b
Opcode Fuzzy Hash: 5f01808c10af3aa4164876754f3f8dd90b42411c18ec2463aaaa54b952b9fbf2
Instruction Fuzzy Hash: 6A416171100641AADB255F28DC98BFA3B67EB06331F144365FE658A2E6C7318D82DBA1

Function 0069AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,006BF910), ref: 0069AB76
GetDriveTypeW.KERNEL32(00000061,006EA620,00000061), ref: 0069AC40
_wcscpy.LIBCMT ref: 0069AC6A

Strings

all, xrefs: 0069AB7C
fixed, xrefs: 0069ABBE
ramdisk, xrefs: 0069ABEA
removable, xrefs: 0069ABA8
network, xrefs: 0069ABD4
cdrom, xrefs: 0069AB92
unknown, xrefs: 0069AC01

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 46e5ea944abd05cf7c9662a20c944eac647886a1af0827ee56d97250ff1b9654
Instruction ID: d1cf65b92323e2938107bc8fc4b9021af6591521fdd367924219046ae8261384
Opcode Fuzzy Hash: 46e5ea944abd05cf7c9662a20c944eac647886a1af0827ee56d97250ff1b9654
Instruction Fuzzy Hash: 9551A0301083019BCB54EF54C981AAEB7EBEF84305F14492DF896576A2DB31ED4ACB93

Function 006BC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

Part of subcall function 00632344: GetCursorPos.USER32(?), ref: 00632357
Part of subcall function 00632344: ScreenToClient.USER32(006F67B0,?), ref: 00632374
Part of subcall function 00632344: GetAsyncKeyState.USER32(00000001), ref: 00632399
Part of subcall function 00632344: GetAsyncKeyState.USER32(00000002), ref: 006323A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006BC2E4
ImageList_EndDrag.COMCTL32 ref: 006BC2EA
ReleaseCapture.USER32 ref: 006BC2F0
SetWindowTextW.USER32(?,00000000), ref: 006BC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006BC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006BC48F

Strings

@GUI_DROPID, xrefs: 006BC3E1
pro, xrefs: 006BC438
@GUI_DRAGFILE, xrefs: 006BC424
pro, xrefs: 006BC3FD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pro$pro
API String ID: 1924731296-137308330
Opcode ID: 6281b3a386a90d2a8dc68cf117eeba86f2c19d46455cce2877b6a1a6f05256f1
Instruction ID: b14fcb415532edddccb9c93a1bcce058a49f851822b95c880cfebe473db8d95a
Opcode Fuzzy Hash: 6281b3a386a90d2a8dc68cf117eeba86f2c19d46455cce2877b6a1a6f05256f1
Instruction Fuzzy Hash: 77517DB0204305AFD710EF14CC55FAA7BE6EB88310F00452DF5968B2F1DB71AA84DB66

Function 00639997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006399C2
__swprintf.LIBCMT ref: 00639A0C
__i64tow.LIBCMT ref: 0066FA0F

Strings

True, xrefs: 0066F9D0
%.15g, xrefs: 00639A06
False, xrefs: 0066F9D7
0x%p, xrefs: 0066F9F1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: edc4654673e15a7dc51d05e2d6ce1ebca5dbc2254cc29d33c38de8e60197ce33
Instruction ID: 7df123c3c68f058469fe54735f7e7e8cff4fd8dc4204107dab912e66f59e56d2
Opcode Fuzzy Hash: edc4654673e15a7dc51d05e2d6ce1ebca5dbc2254cc29d33c38de8e60197ce33
Instruction Fuzzy Hash: 3441F571904205AFEB24EF78EC42F7673EAEB04300F24496EE949D7391EA719942CB61

Function 006B73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B73D9
CreateMenu.USER32 ref: 006B73F4
SetMenu.USER32(?,00000000), ref: 006B7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B7490
IsMenu.USER32(?), ref: 006B74A6
CreatePopupMenu.USER32 ref: 006B74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B74DD
DrawMenuBar.USER32 ref: 006B74E5

Strings

F, xrefs: 006B74D1
0, xrefs: 006B73CF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 12cac6e57948a92b2acdd238c8a90fc93698e555a48d16394a3cd869044b761e
Instruction ID: 85b3faab6bf468ef34b24d1f7cc7df21ed7c65602c39e5092f91124b1c07af00
Opcode Fuzzy Hash: 12cac6e57948a92b2acdd238c8a90fc93698e555a48d16394a3cd869044b761e
Instruction Fuzzy Hash: 8D4158B5A00209EFDB20DF64D884EEABBF6FF49341F144128F95997360D730A950CB60

Function 006B772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006B77CD
CreateCompatibleDC.GDI32(00000000), ref: 006B77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006B77E7
SelectObject.GDI32(00000000,00000000), ref: 006B77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 006B77FA
DeleteDC.GDI32(00000000), ref: 006B7803
GetWindowLongW.USER32(?,000000EC), ref: 006B780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006B7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006B782D

Strings

static, xrefs: 006B7765

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d6de91d08b466f3777f02992f5b74eaa302e497956ba35bb76d5d75adedf3f68
Instruction ID: e0409a4aef5e11d6ba9eaf490c7c2ee042df35552a85973863b6cb332903ec0c
Opcode Fuzzy Hash: d6de91d08b466f3777f02992f5b74eaa302e497956ba35bb76d5d75adedf3f68
Instruction Fuzzy Hash: 72316CB2105115ABDF219F74DC09FDA3B6AEF49320F110325FA15A61B0DB71D8A1DBA4

Function 00657040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065707B

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

__gmtime64_s.LIBCMT ref: 00657114
__gmtime64_s.LIBCMT ref: 0065714A
__gmtime64_s.LIBCMT ref: 00657167
__allrem.LIBCMT ref: 006571BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006571D9
__allrem.LIBCMT ref: 006571F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0065720E
__allrem.LIBCMT ref: 00657225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00657243
__invoke_watson.LIBCMT ref: 006572B4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: ecdd356c9200392c0fba47dfbbb215d4918161416b906d22b3619c721cf0103b
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 2271F8B1A04716ABD7149E79DC42B9AB3EAAF11321F14422EFC14E77C1EB70DA488794

Function 00692A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692A31
GetMenuItemInfoW.USER32(006F6890,000000FF,00000000,00000030), ref: 00692A92
SetMenuItemInfoW.USER32(006F6890,00000004,00000000,00000030), ref: 00692AC8
Sleep.KERNEL32(000001F4), ref: 00692ADA
GetMenuItemCount.USER32(?), ref: 00692B1E
GetMenuItemID.USER32(?,00000000), ref: 00692B3A
GetMenuItemID.USER32(?,-00000001), ref: 00692B64
GetMenuItemID.USER32(?,?), ref: 00692BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00692BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692C24

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 97834ee1c88cc3d8d5a2cb36f01932efbd7830655d97672706a0022d74e1c0c7
Instruction ID: 414154a6e687b1732cb7e45cf572b20366de550b959e0850fab0d27adba6cf9e
Opcode Fuzzy Hash: 97834ee1c88cc3d8d5a2cb36f01932efbd7830655d97672706a0022d74e1c0c7
Instruction Fuzzy Hash: 2E616BB190024ABFDF21CF64DDA8EEE7BBEEB01308F140559E84197661D731AD46DB20

Function 006B7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006B7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006B7217
GetWindowLongW.USER32(?,000000F0), ref: 006B723B
_memset.LIBCMT ref: 006B724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006B725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006B72D6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 30b91be44150e3b8fae35c96d60ffa4bde8c540396a1a4f5761f516f3a9f6ff8
Instruction ID: 200a74af8fc8446888263b612fbc1d483866957e75793c287a60da1244ff88af
Opcode Fuzzy Hash: 30b91be44150e3b8fae35c96d60ffa4bde8c540396a1a4f5761f516f3a9f6ff8
Instruction Fuzzy Hash: 39615CB5900208AFDB10DFA4CC81EEE77FAEB49710F144159FA15A73A1D770AE85DB60

Function 0068710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00687135
SafeArrayAllocData.OLEAUT32(?), ref: 0068718E
VariantInit.OLEAUT32(?), ref: 006871A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 006871C0
VariantCopy.OLEAUT32(?,?), ref: 00687213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00687227
VariantClear.OLEAUT32(?), ref: 0068723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00687249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00687252
VariantClear.OLEAUT32(?), ref: 00687264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0068726F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 7b6182ffae004255f5fd3d11337089faf34db4846d18c0905fa33a45cffa9542
Instruction ID: c23903fc1b83beb63814eb0605b1cc6eb9621ae82888a81dcd101c0dd280d117
Opcode Fuzzy Hash: 7b6182ffae004255f5fd3d11337089faf34db4846d18c0905fa33a45cffa9542
Instruction Fuzzy Hash: 08414075904219AFCB00EF68DC489AEBBBAFF08354F108169F955A7261CB70EA45CB90

Function 006A86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

CoInitialize.OLE32 ref: 006A8718
CoUninitialize.OLE32 ref: 006A8723
CoCreateInstance.OLE32(?,00000000,00000017,006C2BEC,?), ref: 006A8783
IIDFromString.OLE32(?,?), ref: 006A87F6
VariantInit.OLEAUT32(?), ref: 006A8890
VariantClear.OLEAUT32(?), ref: 006A88F1

Strings

Invalid parameter, xrefs: 006A880F
Failed to create object, xrefs: 006A878E, 006A8844
NULL Pointer assignment, xrefs: 006A87C8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 6fd4ec76b74f46bf068178ab733a6c85777fb17ea7e4d5ae24eed9897bd666e3
Instruction ID: 015183e6e767ea5db13052f8789cb571e663b256bfc0c4a9a9eaec935c62ebc8
Opcode Fuzzy Hash: 6fd4ec76b74f46bf068178ab733a6c85777fb17ea7e4d5ae24eed9897bd666e3
Instruction Fuzzy Hash: 6261AD706083019FD710EF64C848B6EBBEAAF46714F10491DF9859B291DB74ED48CF96

Function 006A5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006A5AA6
inet_addr.WSOCK32(?,?,?), ref: 006A5AEB
gethostbyname.WSOCK32(?), ref: 006A5AF7
IcmpCreateFile.IPHLPAPI ref: 006A5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006A5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006A5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006A5C00
WSACleanup.WSOCK32 ref: 006A5C06

Strings

Ping, xrefs: 006A5B29

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5f2ec75fa3563e4df58cb4fff7e84c5bb5b9c1d2a506eabf073c9d99cc8e6fe4
Instruction ID: 3012ac71a935a6fc5f794ecb54711a0bdeab309140ae2a99bfcd1f71a36bcbd9
Opcode Fuzzy Hash: 5f2ec75fa3563e4df58cb4fff7e84c5bb5b9c1d2a506eabf073c9d99cc8e6fe4
Instruction Fuzzy Hash: F2518C316047009FD710EF24CC95B6AB7E6EF49310F048969F956DB2A1DB70EC408F66

Function 0069B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0069B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0069B7B1
GetLastError.KERNEL32 ref: 0069B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0069B828

Strings

READONLY, xrefs: 0069B7F3
INVALID, xrefs: 0069B7FA
UNKNOWN, xrefs: 0069B7E0
NOTREADY, xrefs: 0069B7E7
READY, xrefs: 0069B801

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 424ae0b67ee2ee2f7e04cec1724d5a9429d7bc46bbce173b6fb9449ee1ef4f05
Instruction ID: 002b6e015f1d36d2c471eb5dfb6d3cdd0fef52b2a8ed6e30df1ceb9c91661d4d
Opcode Fuzzy Hash: 424ae0b67ee2ee2f7e04cec1724d5a9429d7bc46bbce173b6fb9449ee1ef4f05
Instruction Fuzzy Hash: 13319235A002099FDF10EFA8ED85AFEB7BAEF44700F145129E402DB7A1DB719946CB91

Function 00689471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006894F6
GetDlgCtrlID.USER32 ref: 00689501
GetParent.USER32 ref: 0068951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00689520
GetDlgCtrlID.USER32(?), ref: 00689529
GetParent.USER32(?), ref: 00689545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00689548

Strings

ComboBox, xrefs: 0068947E
ListBox, xrefs: 006894B3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a8fb0d4a7c0fa74e20fba9f0e7701b2998afb5727d1f67e1fb6de3e4b4ecab87
Instruction ID: e39e78b114dc5765c66b143e517b957cc027635810f0f05c87339802602118cd
Opcode Fuzzy Hash: a8fb0d4a7c0fa74e20fba9f0e7701b2998afb5727d1f67e1fb6de3e4b4ecab87
Instruction Fuzzy Hash: 7D210670900204BBCF00AB65CC85DFEBB76FF45300F10021AB922972E2DB755919DB30

Function 0068955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006895DF
GetDlgCtrlID.USER32 ref: 006895EA
GetParent.USER32 ref: 00689606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00689609
GetDlgCtrlID.USER32(?), ref: 00689612
GetParent.USER32(?), ref: 0068962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00689631

Strings

ComboBox, xrefs: 00689569
ListBox, xrefs: 0068959E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1aeb7a6fc7080d8fef96d891964b9dc6c1300965db00a54594a728f25ab5e355
Instruction ID: bc33ffe5ba0bdef2394f3792c0d1120f1f45ad010cd493f7f01f290b5292a10c
Opcode Fuzzy Hash: 1aeb7a6fc7080d8fef96d891964b9dc6c1300965db00a54594a728f25ab5e355
Instruction Fuzzy Hash: 7321C8B4900204BBDF01AB65CC85EFEBB76EF45300F14421AF911972A1EB755559DB30

Function 00689645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00689651
GetClassNameW.USER32(00000000,?,00000100), ref: 00689666
_wcscmp.LIBCMT ref: 00689678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006896F3

Strings

smallicons, xrefs: 006896BB
details, xrefs: 006896A1
largeicons, xrefs: 00689687
SHELLDLL_DefView, xrefs: 00689672
list, xrefs: 006896D5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: df9db5cdd20a93b8a6922874a667b8f39783b5079513158519474f98083f5296
Instruction ID: 2b9f1528554ecd1bc7c304241fb142663c7f4dfde323dd9484ea35280013df26
Opcode Fuzzy Hash: df9db5cdd20a93b8a6922874a667b8f39783b5079513158519474f98083f5296
Instruction Fuzzy Hash: 3D110676248357BAFB113631DC06DF6779F9F057A1F20022AFD00A51E1FEA269914B78

Function 00694189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0069419D
__swprintf.LIBCMT ref: 006941AA

Part of subcall function 006538D8: __woutput_l.LIBCMT ref: 00653931

FindResourceW.KERNEL32(?,?,0000000E), ref: 006941D4
LoadResource.KERNEL32(?,00000000), ref: 006941E0
LockResource.KERNEL32(00000000), ref: 006941ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0069420D
LoadResource.KERNEL32(?,00000000), ref: 0069421F
SizeofResource.KERNEL32(?,00000000), ref: 0069422E
LockResource.KERNEL32(?), ref: 0069423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0069429B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: a1af46230bac3e4610bab5944f49ec3cde093cef1abff76c0291215189050488
Instruction ID: e3ea558920375396a0e26e40660195538f243d375a80ef5c2ab69b798e1c838b
Opcode Fuzzy Hash: a1af46230bac3e4610bab5944f49ec3cde093cef1abff76c0291215189050488
Instruction Fuzzy Hash: B1316DB160521AAFDF119FA0DC49EBB7BAEFF08341F004625F905D6650EB70DA52CBA4

Function 006916DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00691700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00690778,?,00000001), ref: 00691714
GetWindowThreadProcessId.USER32(00000000), ref: 0069171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690778,?,00000001), ref: 0069172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0069173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690778,?,00000001), ref: 00691755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00690778,?,00000001), ref: 00691767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00690778,?,00000001), ref: 006917AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00690778,?,00000001), ref: 006917C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00690778,?,00000001), ref: 006917CC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6e9c620c968293214fc1d2c21071d8ac06976bfbff513da4d7c1b65d9173d586
Instruction ID: 9b0db80ac413ed05494b598144b3390edf4ed92779cd67bcc0ea85e8e07bb9ae
Opcode Fuzzy Hash: 6e9c620c968293214fc1d2c21071d8ac06976bfbff513da4d7c1b65d9173d586
Instruction Fuzzy Hash: 1B318FB5605206BBEF119F94DD84BB97BAFEB56711F206025F804CE7A0D7749D80CB60

Function 006A9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A947C
VariantInit.OLEAUT32(?), ref: 006A954D
VariantInit.OLEAUT32(?), ref: 006A964E
VariantClear.OLEAUT32(?), ref: 006A9658
VariantClear.OLEAUT32(?), ref: 006A96B5

Strings

,,l, xrefs: 006A94FA
Null Object assignment in FOR..IN loop, xrefs: 006A94DD, 006A960B, 006A96C3
Incorrect Object type in FOR..IN loop, xrefs: 006A9631

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,l$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2938958909
Opcode ID: 9dcf5488e1dbac19244f9e4476b41bf79389660552b4c3646a79714b2d40951d
Instruction ID: a9692f1e93f8a5832e93e4978fcf32dde1c9c136621fbbcfc788d3956bc658b4
Opcode Fuzzy Hash: 9dcf5488e1dbac19244f9e4476b41bf79389660552b4c3646a79714b2d40951d
Instruction Fuzzy Hash: 7A916D71A00215ABDF24EFA5C848FEEBBBAEF46710F208159F515AB290D7709D45CFA0

Function 0068A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0068AA64), ref: 0068A9A2

Strings

REGEXPCLASS, xrefs: 0068A767
INSTANCE, xrefs: 0068A8B0
NAME, xrefs: 0068A7D4
CLASSNN, xrefs: 0068A744
CLASS, xrefs: 0068A721
TEXT, xrefs: 0068A8D9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 2215a81087c655f81d0faddb468f837f4840c0613d9ec6bc4cf40dd1b34fea68
Instruction ID: 333b14fcb657dd0a853cf73b2010c3a1ff9df166202e257de70425d10a44c0a5
Opcode Fuzzy Hash: 2215a81087c655f81d0faddb468f837f4840c0613d9ec6bc4cf40dd1b34fea68
Instruction Fuzzy Hash: AC917670904646DBEF58EFA0C481BE9FB77BF04304F10821EEC5AA7251DB30695ADBA5

Function 00632E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00632EAE

Part of subcall function 00631DB3: GetClientRect.USER32(?,?), ref: 00631DDC
Part of subcall function 00631DB3: GetWindowRect.USER32(?,?), ref: 00631E1D
Part of subcall function 00631DB3: ScreenToClient.USER32(?,?), ref: 00631E45

GetDC.USER32 ref: 0066CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0066CF95
SelectObject.GDI32(00000000,00000000), ref: 0066CFA3
SelectObject.GDI32(00000000,00000000), ref: 0066CFB8
ReleaseDC.USER32(?,00000000), ref: 0066CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0066D04B

Strings

U, xrefs: 0066CF20

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6c32873a437e6c31564e4956a2069ea40518b7fde28f3f6b1dd9eae5e9dc04a8
Instruction ID: e303ea97e3210f9a456a2a979130f95b99004ccc64e34dc03ea7b1e4ad7aa246
Opcode Fuzzy Hash: 6c32873a437e6c31564e4956a2069ea40518b7fde28f3f6b1dd9eae5e9dc04a8
Instruction Fuzzy Hash: 9271A271900205EFCF218F64C895AFA7BB7FF49364F14426AED955A266C7318C82DBA0

Function 006A8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006BF910), ref: 006A903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006BF910), ref: 006A9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006A91EB
SysFreeString.OLEAUT32(?), ref: 006A9215

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4c0178ce93af1555847ff393f57ff0018fa99387e11bb71daa68c4116fe33aa7
Instruction ID: fdee7af53e4de2f7a2fb03dcc6868fd121e93ac400b9f6454acf8adbb5b94bef
Opcode Fuzzy Hash: 4c0178ce93af1555847ff393f57ff0018fa99387e11bb71daa68c4116fe33aa7
Instruction Fuzzy Hash: 9BF10975900109EFDF04EF94C888EAEB7BABF4A315F208459F516AB251DB31AE45CF60

Function 006AF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006AFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006AFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006AFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006AFD90
CloseHandle.KERNEL32(?), ref: 006AFDBF
CloseHandle.KERNEL32(?), ref: 006AFE36

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: cb2c578df10eafcab29fa96d95f44fbe2990631a938e429b98694ea450aa1e95
Instruction ID: 37fbbeffcf7cab56cd0a5065113ab6ac66d7421637e062afa574b2fd0685e7b6
Opcode Fuzzy Hash: cb2c578df10eafcab29fa96d95f44fbe2990631a938e429b98694ea450aa1e95
Instruction Fuzzy Hash: 26E1B331204341DFCB54EF64C891AAABBE2AF45314F14856DF89A9B3A2CB31DC45CF56

Function 00694F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006938D3,?), ref: 006948C7

Part of subcall function 006948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006938D3,?), ref: 006948E0

Part of subcall function 00694CD3: GetFileAttributesW.KERNEL32(?,00693947), ref: 00694CD4

lstrcmpiW.KERNEL32(?,?), ref: 00694FE2
_wcscmp.LIBCMT ref: 00694FFC
MoveFileW.KERNEL32(?,?), ref: 00695017

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7f3d842ab795a5d3ff027765dea35d6f0dedaf6075773697ce600830a5f5b3a9
Instruction ID: 665a9077a5cb87e4f370aac8560cb5ae827d8ab713567c1462f3a8008876486b
Opcode Fuzzy Hash: 7f3d842ab795a5d3ff027765dea35d6f0dedaf6075773697ce600830a5f5b3a9
Instruction Fuzzy Hash: 2F5184B20087859BCB64DB50CC819DFB3EDAF85311F00092EB589D3551EF30A28D876A

Function 006B88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006B896E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 56d6b36efeaa72a2cc329ef69e05a88ad55cf3f717db5327fad496d5d50d698e
Instruction ID: cedeb05afb9f933e1dc7a8bbd29b75c01aa4bb4bf15d3c241dd6c399dc27e691
Opcode Fuzzy Hash: 56d6b36efeaa72a2cc329ef69e05a88ad55cf3f717db5327fad496d5d50d698e
Instruction Fuzzy Hash: 2C5162B0540219BFDF209F28CC85BEA7B6BAF05350F60411AF515E72A1DF71AAC0DB91

Function 00632B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0066C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0066C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0066C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0066C5C0
DestroyIcon.USER32(00000000), ref: 0066C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0066C5EC
DestroyIcon.USER32(?), ref: 0066C5FB

Part of subcall function 006BA71E: DeleteObject.GDI32(00000000), ref: 006BA757

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: cf2c0b0aa348f385b444ad2f612f2752e142ce29f916e10d2a28bb51b48f31b4
Instruction ID: e8d76f4c33d7fe5809c901234dbcc39b8be1a516e627f7a711362fda55e5715a
Opcode Fuzzy Hash: cf2c0b0aa348f385b444ad2f612f2752e142ce29f916e10d2a28bb51b48f31b4
Instruction Fuzzy Hash: 22517B7060060AAFDB20DF24DC55FBA7BF6EB58360F104528F952972A0DB70ED91DBA0

Function 00689B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0068AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0068AE77
Part of subcall function 0068AE57: GetCurrentThreadId.KERNEL32 ref: 0068AE7E
Part of subcall function 0068AE57: AttachThreadInput.USER32(00000000,?,00689B65,?,00000001), ref: 0068AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00689B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00689B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00689B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00689B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00689BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00689BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00689BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00689BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00689BDD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9a39263ccbfe3dfd2275877ce4b86d3fb23857f08d71c0c66f35b2a383b7efe8
Instruction ID: bf575d196bdf177f5fcd21c5e7695c1ea0f875e888057236fe04f29c87679318
Opcode Fuzzy Hash: 9a39263ccbfe3dfd2275877ce4b86d3fb23857f08d71c0c66f35b2a383b7efe8
Instruction Fuzzy Hash: 5011E5B1950218BEF7106B64DC89F6A3B1EDB4C751F101929F644AB0A0C9F25C50DBA4

Function 00688E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00688A84,00000B00,?,?), ref: 00688E0C
HeapAlloc.KERNEL32(00000000,?,00688A84,00000B00,?,?), ref: 00688E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00688A84,00000B00,?,?), ref: 00688E28
GetCurrentProcess.KERNEL32(?,00000000,?,00688A84,00000B00,?,?), ref: 00688E30
DuplicateHandle.KERNEL32(00000000,?,00688A84,00000B00,?,?), ref: 00688E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00688A84,00000B00,?,?), ref: 00688E43
GetCurrentProcess.KERNEL32(00688A84,00000000,?,00688A84,00000B00,?,?), ref: 00688E4B
DuplicateHandle.KERNEL32(00000000,?,00688A84,00000B00,?,?), ref: 00688E4E
CreateThread.KERNEL32(00000000,00000000,00688E74,00000000,00000000,00000000), ref: 00688E68

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0c75dfea3dc32d72cf90211dd153e330221277fc4aedfd57e720fd109bb6a66d
Instruction ID: b8641dab17f88e7eec48e7e43c7518088a8b1a6cf29452575e052ef1113c3b59
Opcode Fuzzy Hash: 0c75dfea3dc32d72cf90211dd153e330221277fc4aedfd57e720fd109bb6a66d
Instruction Fuzzy Hash: 5601B6B5240308FFE710AFA9DC4DF6B3BADEB89711F415921FA05DB2A1CA709840CB20

Function 006A9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00687652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?,?,0068799D), ref: 0068766F
Part of subcall function 00687652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?), ref: 0068768A
Part of subcall function 00687652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?), ref: 00687698
Part of subcall function 00687652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?), ref: 006876A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006A9B1B
_memset.LIBCMT ref: 006A9B28
_memset.LIBCMT ref: 006A9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 006A9C97
CoTaskMemFree.OLE32(?), ref: 006A9CA2

Strings

NULL Pointer assignment, xrefs: 006A9CF0

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: a3f10f286a87217a7d001db4416880118d5689832d7b35e289caa8fa39cfe6cf
Instruction ID: ce18ccd80531c3d2d53cdc95fdb2c7383c46d40fc892bbde04440741958dbf11
Opcode Fuzzy Hash: a3f10f286a87217a7d001db4416880118d5689832d7b35e289caa8fa39cfe6cf
Instruction Fuzzy Hash: C7913A71D00219EBDF10EFA4DC81ADEBBBAEF09710F204159F519A7291DB715A45CFA0

Function 006B6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006B7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 006B70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006B70C1
_wcscat.LIBCMT ref: 006B711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 006B7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006B7161

Strings

SysListView32, xrefs: 006B7065

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: fc2f5a28f4a5d5c7d2e36b3e3ba7090f0e620fab66c9e54dacde1a41cb845e44
Instruction ID: 6424c009a6bd2ac1b2d2818e14bc16415c25928e0a216e12fc76d080298f45cb
Opcode Fuzzy Hash: fc2f5a28f4a5d5c7d2e36b3e3ba7090f0e620fab66c9e54dacde1a41cb845e44
Instruction Fuzzy Hash: 7441A3B1904308AFDB219F64CC85BEE77FAEF48350F10052AF944E72A2D6719DC48B64

Function 006AEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00693E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00693EB6
Part of subcall function 00693E91: Process32FirstW.KERNEL32(00000000,?), ref: 00693EC4
Part of subcall function 00693E91: CloseHandle.KERNEL32(00000000), ref: 00693F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AECB8
GetLastError.KERNEL32 ref: 006AECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 006AED77
GetLastError.KERNEL32(00000000), ref: 006AED82
CloseHandle.KERNEL32(00000000), ref: 006AEDB7

Strings

SeDebugPrivilege, xrefs: 006AECD6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3e3ed4d6adb34af89d2459be65f55c4d0f20a7fdfb0f902dcd7f3d5069f2a785
Instruction ID: e52dac022ca1e748c23cbc14526ccfc6cf28844cc518140d4b8e56319a76567e
Opcode Fuzzy Hash: 3e3ed4d6adb34af89d2459be65f55c4d0f20a7fdfb0f902dcd7f3d5069f2a785
Instruction Fuzzy Hash: E84178712002019FDB14FF28CC95B6EB7A6AF41714F08855DF8429B292DBB6AC458F99

Function 00693226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006932C5

Strings

question, xrefs: 0069327E
stop, xrefs: 00693296
blank, xrefs: 00693247
info, xrefs: 00693266
warning, xrefs: 006932AE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c5a153c1c43fc1e4c3cadb100d5d50e38bef1a572e1d93c423acd856158e085a
Instruction ID: b9844e11d0b4d52334ccaffeb80442385c431d67327f37b29e129acd13c608c5
Opcode Fuzzy Hash: c5a153c1c43fc1e4c3cadb100d5d50e38bef1a572e1d93c423acd856158e085a
Instruction Fuzzy Hash: B8115B312083A6BA9F115B65DC42CABB39EDF197B0F20006AF901A6781E661AB4105A5

Function 00694534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0069454E
LoadStringW.USER32(00000000), ref: 00694555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0069456B
LoadStringW.USER32(00000000), ref: 00694572
_wprintf.LIBCMT ref: 00694598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006945B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00694593

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 972549be0b795382d916ce9ca078e58bdc4b5bc61469d7b48afff7a40730e001
Instruction ID: 100ef6edaa0a199e7636440cd8c262338fc036cc95af57f0722063b7bca2a923
Opcode Fuzzy Hash: 972549be0b795382d916ce9ca078e58bdc4b5bc61469d7b48afff7a40730e001
Instruction Fuzzy Hash: 070162F2900208BFE750ABA4DD8AEF7776DDB08301F0009A5BB45D2162EA749EC58B74

Function 006BD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

GetSystemMetrics.USER32(0000000F), ref: 006BD78A
GetSystemMetrics.USER32(0000000F), ref: 006BD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006BD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006BDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006BDA24
ShowWindow.USER32(00000003,00000000), ref: 006BDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 006BDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 006BDA8B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ff817efae513b3530abe45883dae6a44d4ee789eb95ce00d266d1886b12338dc
Instruction ID: 042a4f6f714ba617e1704e07e517a559ea75abf299a4dd2cfb15c894fa976f90
Opcode Fuzzy Hash: ff817efae513b3530abe45883dae6a44d4ee789eb95ce00d266d1886b12338dc
Instruction Fuzzy Hash: 8CB168B1600225EBDF14CF69C9C57FD7BB2BF44701F088169ED589E295EB34A990CB60

Function 00632A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0066C417,00000004,00000000,00000000,00000000), ref: 00632ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0066C417,00000004,00000000,00000000,00000000,000000FF), ref: 00632B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0066C417,00000004,00000000,00000000,00000000), ref: 0066C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0066C417,00000004,00000000,00000000,00000000), ref: 0066C4D6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eee4674d263521453f9d7b5af1aa8c4961bbe09d3c97d8d872ac1ad11c0d5fc0
Instruction ID: ec39f7f8a60434147106b6c641b59332c0c2ab0ac9d94fc1c30e2c2c26e9c1f0
Opcode Fuzzy Hash: eee4674d263521453f9d7b5af1aa8c4961bbe09d3c97d8d872ac1ad11c0d5fc0
Instruction Fuzzy Hash: D2412B702087819BC7358B28DCBC7BB7BD3AF45310F18981DE09786771CA75A882D7A0

Function 00697368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0069737F

Part of subcall function 00650FF6: std::exception::exception.LIBCMT ref: 0065102C
Part of subcall function 00650FF6: __CxxThrowException@8.LIBCMT ref: 00651041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006973B6
EnterCriticalSection.KERNEL32(?), ref: 006973D2
_memmove.LIBCMT ref: 00697420
_memmove.LIBCMT ref: 0069743D
LeaveCriticalSection.KERNEL32(?), ref: 0069744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00697461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00697480

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 2833495857d67d89ff5717a9c75a7e5649dc3fb0c8745b84e4d305b0e05dd2cc
Instruction ID: a81b9fc28461bd97cfb618e0ba3905ad9de6622d04e05c5eb0f4d86d3f371303
Opcode Fuzzy Hash: 2833495857d67d89ff5717a9c75a7e5649dc3fb0c8745b84e4d305b0e05dd2cc
Instruction Fuzzy Hash: AA31BE71900205EBDF10DFA8DC85AAF7BBAEF45710F1441A9FD04AB256DB309A54CBA4

Function 006B6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006B645A
GetDC.USER32(00000000), ref: 006B6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B646D
ReleaseDC.USER32(00000000,00000000), ref: 006B6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006B64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006B64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006B9299,?,?,000000FF,00000000,?,000000FF,?), ref: 006B6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006B6520

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9485681e361ddabe8295df68c880560ee3e433edae0416b78429f023882fdc62
Instruction ID: 381616f50f4bda03f12ff2f219ab1eb63f160fede53da6309f297e263884c5fd
Opcode Fuzzy Hash: 9485681e361ddabe8295df68c880560ee3e433edae0416b78429f023882fdc62
Instruction Fuzzy Hash: F031A2B2100210BFEB208F10CC49FEB3FAAEF09765F044165FE089A2A1D6759C91CB74

Function 0068C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0068C087
_memcmp.LIBCMT ref: 0068C0A9
_memcmp.LIBCMT ref: 0068C0C1
_memcmp.LIBCMT ref: 0068C0D4
_memcmp.LIBCMT ref: 0068C0EE
_memcmp.LIBCMT ref: 0068C101
_memcmp.LIBCMT ref: 0068C119
_memcmp.LIBCMT ref: 0068C134

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3031daef5bff9e7464aabfa6c25b2afd62bef17b6f91d5338a2fe2a8cc1c698c
Instruction ID: b90fb6484f02942720cd42f2f5d24dd44fef123b213f383cea24641c637d63b7
Opcode Fuzzy Hash: 3031daef5bff9e7464aabfa6c25b2afd62bef17b6f91d5338a2fe2a8cc1c698c
Instruction Fuzzy Hash: 6621C561A00206B7D650B6209C96FBB335FEF213F9F044128FD059A382E772DD1583B9

Function 0069ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

Part of subcall function 0064FEC6: _wcscpy.LIBCMT ref: 0064FEE9

_wcstok.LIBCMT ref: 0069EEFF
_wcscpy.LIBCMT ref: 0069EF8E
_memset.LIBCMT ref: 0069EFC1

Strings

X, xrefs: 0069EFFE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 851a9114c12fc319540b88649bbece8b444f4724eebdb715dd816035130795c8
Instruction ID: dc4a0424fca3893a65118fee175d7c86a9d833fada3b9b0fd659959ec4794fca
Opcode Fuzzy Hash: 851a9114c12fc319540b88649bbece8b444f4724eebdb715dd816035130795c8
Instruction Fuzzy Hash: 73C191715083009FCB64EF24C881A9AB7E6FF85314F04492DF89A977A2DB70ED45CB96

Function 006A6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006A6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006A6F35
WSAGetLastError.WSOCK32(00000000), ref: 006A6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 006A6FFE
inet_ntoa.WSOCK32(?), ref: 006A6FBB

Part of subcall function 0068AE14: _strlen.LIBCMT ref: 0068AE1E
Part of subcall function 0068AE14: _memmove.LIBCMT ref: 0068AE40

_strlen.LIBCMT ref: 006A7058
_memmove.LIBCMT ref: 006A70C1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9e1eac1edad3d5b7df071f20f7bab7ef199f251400db1f02eba10feb937756f8
Instruction ID: e2bf32ab096dc1b4cb7be7d467f6330f25e41287d93dc476dade80b205b58cc5
Opcode Fuzzy Hash: 9e1eac1edad3d5b7df071f20f7bab7ef199f251400db1f02eba10feb937756f8
Instruction Fuzzy Hash: 4B81E171108300AFD750EF24CC85EABB3EBAF85714F144A1CF5569B2A2DA70AD05CBA6

Function 00631424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81cfd50e5116a2d5bfd64269257e4a971e7c3a8fe9bb5c756036507d99782f
Instruction ID: 6acee69b88421d8330a8609cea7e8924dda38ad04c222f64886607dd0312ce50
Opcode Fuzzy Hash: 0b81cfd50e5116a2d5bfd64269257e4a971e7c3a8fe9bb5c756036507d99782f
Instruction Fuzzy Hash: 28714D70900109EFDB14DF58CC45AFEBBBAFF86314F14C259F915AA252C734AA51CBA4

Function 006BB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C96C98), ref: 006BB6A5
IsWindowEnabled.USER32(00C96C98), ref: 006BB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006BB795
SendMessageW.USER32(00C96C98,000000B0,?,?), ref: 006BB7CC
IsDlgButtonChecked.USER32(?,?), ref: 006BB809
GetWindowLongW.USER32(00C96C98,000000EC), ref: 006BB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006BB843

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 604d2eb33a140f3bcf3c46dcb8f171bb030b220aed3db5833c0aa2394e6ce111
Instruction ID: 1fdd7e4dd308efeaf3e6aebb19bdcfc545105e945517533485d1306a66beb8ab
Opcode Fuzzy Hash: 604d2eb33a140f3bcf3c46dcb8f171bb030b220aed3db5833c0aa2394e6ce111
Instruction Fuzzy Hash: BF717DB4600204AFDB209F65C894FFA7BBBEF49300F146069F95697361DBB1AD81CB50

Function 006AF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AF75C
_memset.LIBCMT ref: 006AF825
ShellExecuteExW.SHELL32(?), ref: 006AF86A

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

Part of subcall function 0064FEC6: _wcscpy.LIBCMT ref: 0064FEE9

GetProcessId.KERNEL32(00000000), ref: 006AF8E1
CloseHandle.KERNEL32(00000000), ref: 006AF910

Strings

@, xrefs: 006AF839

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3022bb0faef16655122967ed50ccfbe74a6ba886acad6e9b80019450194d871e
Instruction ID: 0c85b7025fb60da6476f97da47f67567e1b639e29bce2d6576869d8e612e0d57
Opcode Fuzzy Hash: 3022bb0faef16655122967ed50ccfbe74a6ba886acad6e9b80019450194d871e
Instruction Fuzzy Hash: AD618C75A006199FCB14EF94C980AAEBBF6FF49310F14856DE846AB391CB30AD41CF95

Function 0069145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0069149C
GetKeyboardState.USER32(?), ref: 006914B1
SetKeyboardState.USER32(?), ref: 00691512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00691540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0069155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006915A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006915C8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0e9487d4a8097cae6547b14d0d70eb3d0c64529b7690e510d2e4263f0f66f314
Instruction ID: 65912b98a683959b0e13b837f4de37c250175c5bde85c6dc5ce4adb244358cf8
Opcode Fuzzy Hash: 0e9487d4a8097cae6547b14d0d70eb3d0c64529b7690e510d2e4263f0f66f314
Instruction Fuzzy Hash: 2451D0A0A046D73EFF3246648C45BFA7EAF5B47304F298589E1D54EDD2C294AC84D760

Function 00691276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006912B5
GetKeyboardState.USER32(?), ref: 006912CA
SetKeyboardState.USER32(?), ref: 0069132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00691357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00691374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006913B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006913D9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ebe51b7877a07fa73a01ef4e3c8e799a9f323406d3ef7836431599b2a18395ef
Instruction ID: d82005f5edf239a774361e5bc62df5920a904f7782fa2108802d8c0a6a5bf12d
Opcode Fuzzy Hash: ebe51b7877a07fa73a01ef4e3c8e799a9f323406d3ef7836431599b2a18395ef
Instruction Fuzzy Hash: 7551D0A09046D77DFF3287248C45BBABFAF5B07300F288589E1D48EDC2D295AC94E760

Function 0069589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006958AC
_wcsncpy.LIBCMT ref: 006958E1
_wcsncpy.LIBCMT ref: 00695913
_wcsncpy.LIBCMT ref: 00695946
_wcsncpy.LIBCMT ref: 00695988
_wcsncpy.LIBCMT ref: 006959C2
_wcsncpy.LIBCMT ref: 006959F1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: acbb512fff056e03a77cbf8598906128fe722f343d59eaeddca5eb3e7f38a606
Instruction ID: 282ab6ab0e5ef3c14b0f0d688f80e7f1cb12c83ca986d281d164085e50443e78
Opcode Fuzzy Hash: acbb512fff056e03a77cbf8598906128fe722f343d59eaeddca5eb3e7f38a606
Instruction Fuzzy Hash: E041E566C2052876CF51EBB48C869CF73AEAF05711F50845AF919E3221EB34E758C3AD

Function 0068DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0068DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0068DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0068DB8E

Strings

,,l, xrefs: 0068DA69
DllGetClassObject, xrefs: 0068DB01

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,l$DllGetClassObject
API String ID: 753597075-2085701340
Opcode ID: 8c158d3e9e045eb17f57c3dea2d55de4e10764c1098ab1a3c6fa2ccbfd1ce7a1
Instruction ID: eddccf84bf8f688ecd446a05dd4ebcfe8136b37ea2940ccf8b7f707d244f8938
Opcode Fuzzy Hash: 8c158d3e9e045eb17f57c3dea2d55de4e10764c1098ab1a3c6fa2ccbfd1ce7a1
Instruction Fuzzy Hash: B141C0B1600208EFDB14DF54C884AAA7BBAEF48350F1182ADED059F286D7B0DD44CBB0

Function 006938AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006948AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006938D3,?), ref: 006948C7

Part of subcall function 006948AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006938D3,?), ref: 006948E0

lstrcmpiW.KERNEL32(?,?), ref: 006938F3
_wcscmp.LIBCMT ref: 0069390F
MoveFileW.KERNEL32(?,?), ref: 00693927
_wcscat.LIBCMT ref: 0069396F
SHFileOperationW.SHELL32(?), ref: 006939DB

Strings

\*.*, xrefs: 00693969

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 5ead41890a306bb3908abfdaf463b018a8a87f7cd8ef8f2fccd4a412c3b2f204
Instruction ID: 3b0686c39c8063fbae7b42421613cb2bcd0a0eac0d849b870aae4dcd8b121698
Opcode Fuzzy Hash: 5ead41890a306bb3908abfdaf463b018a8a87f7cd8ef8f2fccd4a412c3b2f204
Instruction Fuzzy Hash: 1C4193B240C3449ECB91EF64C445AEFB7EDAF89340F00092EF48AC3661EA74D689C756

Function 006B7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B75C0
IsMenu.USER32(?), ref: 006B75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B7620
DrawMenuBar.USER32 ref: 006B7633

Strings

0, xrefs: 006B750D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 766cf78f10347f3eb3484239794b1f272dd60c15ebddaa40173a63fc544c83e8
Instruction ID: 883906746f8c1324ff864b225af133809af9ffa5c92d13ec1dc428b8ac2605e3
Opcode Fuzzy Hash: 766cf78f10347f3eb3484239794b1f272dd60c15ebddaa40173a63fc544c83e8
Instruction Fuzzy Hash: D14128B5A04609AFDB20DF58D884EEABBFAFB48350F058129F91597350D730AD90DFA0

Function 006B122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006B125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B1286
FreeLibrary.KERNEL32(00000000), ref: 006B133D

Part of subcall function 006B122D: RegCloseKey.ADVAPI32(?), ref: 006B12A3
Part of subcall function 006B122D: FreeLibrary.KERNEL32(?), ref: 006B12F5
Part of subcall function 006B122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006B1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 006B12E0

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d04e9b0ea0ba90aabb1cabfc633a32f22c3dc5752b33750123b6ec7ee72f87a4
Instruction ID: e050b3f93eab858aa683daec3ee41d2cd1ea5c8722f4ffc3ea426e958ef09586
Opcode Fuzzy Hash: d04e9b0ea0ba90aabb1cabfc633a32f22c3dc5752b33750123b6ec7ee72f87a4
Instruction Fuzzy Hash: 88312BB1901119BFDB149BA4DC99AFEB7BDEF09300F40016AF501E6251EA749FC59BA0

Function 006B653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006B655B
GetWindowLongW.USER32(00C96C98,000000F0), ref: 006B658E
GetWindowLongW.USER32(00C96C98,000000F0), ref: 006B65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006B65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006B661F
GetWindowLongW.USER32(00000000,000000F0), ref: 006B6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006B664A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 59115b5e24c7ed399103a017c4142159194e37c3f73265fd67657cb1c0613884
Instruction ID: 7baf152c2fa8bbe92da07bfbc0e51ed404b361bc949ed88e2a1f7b49e7252b64
Opcode Fuzzy Hash: 59115b5e24c7ed399103a017c4142159194e37c3f73265fd67657cb1c0613884
Instruction Fuzzy Hash: 853126B1644114AFDB30CF18DC85FA537E2FB4A350F181268FA118B2B6DB75AC90DB61

Function 006A6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006A64D9
WSAGetLastError.WSOCK32(00000000), ref: 006A64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006A6521
connect.WSOCK32(00000000,?,00000010), ref: 006A652A
WSAGetLastError.WSOCK32 ref: 006A6534
closesocket.WSOCK32(00000000), ref: 006A655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006A6576

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 6f779f1761dc87bb2ed7eaa7b19da5a39752efc260609ca6f1ca9cc1f33c72d7
Instruction ID: db34e0d62d26a1b207453cfc623eb9a36e32562a2536f7e390369b37bb70223c
Opcode Fuzzy Hash: 6f779f1761dc87bb2ed7eaa7b19da5a39752efc260609ca6f1ca9cc1f33c72d7
Instruction Fuzzy Hash: 4A31B371600118AFDB10AF24DC85BBE7BBAEB45714F088169F94997291CB70AD44CFA1

Function 0068E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0068E120
SysAllocString.OLEAUT32(00000000), ref: 0068E123
SysAllocString.OLEAUT32 ref: 0068E144
SysFreeString.OLEAUT32 ref: 0068E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0068E167
SysAllocString.OLEAUT32(?), ref: 0068E175

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c670e1f311efec46fdc20eb418e2a4584ea335bb4e93a388ae78d7e0a54e6de3
Instruction ID: 3e7d696436f4e62ab69ceaccec8432cbf9b84885530913356f41f610adf651b9
Opcode Fuzzy Hash: c670e1f311efec46fdc20eb418e2a4584ea335bb4e93a388ae78d7e0a54e6de3
Instruction Fuzzy Hash: 7E216575604108AFDB10AFA8DC88DAB77FEEB09760B108335F955CB2A5DA71DC81CB64

Function 0068FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0068FB81
__wcsnicmp.LIBCMT ref: 0068FBA2
__wcsnicmp.LIBCMT ref: 0068FBBC

Strings

#notrayicon, xrefs: 0068FB79
#requireadmin, xrefs: 0068FB9C
#OnAutoItStartRegister, xrefs: 0068FBB6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 2ff1f85f4f27ef83ca0ad03118e36d49428ac7e3d905dfc84ab426b6af4511e9
Instruction ID: 14ffc3475532e73fe41a65507cb61ad9b115f89560c1a93096cc7fe4199d8ec7
Opcode Fuzzy Hash: 2ff1f85f4f27ef83ca0ad03118e36d49428ac7e3d905dfc84ab426b6af4511e9
Instruction Fuzzy Hash: 2C216472200255A6D330B730DC22FFB739BEF21350F14453AFC8686281FB51AA82C3A9

Function 006B783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00631D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00631D73
Part of subcall function 00631D35: GetStockObject.GDI32(00000011), ref: 00631D87
Part of subcall function 00631D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00631D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006B78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006B78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006B78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006B78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006B78D4

Strings

Msctls_Progress32, xrefs: 006B7872

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 718a422056be4f292c71128b580867c71a88caa26e3d6d24ecef784a89d764a0
Instruction ID: 1e52a1b697f2dab73eb1dbafb7b867398b77f503ab78b86ff6cb3f598e2776eb
Opcode Fuzzy Hash: 718a422056be4f292c71128b580867c71a88caa26e3d6d24ecef784a89d764a0
Instruction Fuzzy Hash: 1D1190B2110219BFEF159F60CC85EE77F6EEF48758F014125BA04A60A0C7729C61DBA4

Function 006541C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00654292,?), ref: 006541E3
GetProcAddress.KERNEL32(00000000), ref: 006541EA
EncodePointer.KERNEL32(00000000), ref: 006541F6
DecodePointer.KERNEL32(00000001,00654292,?), ref: 00654213

Strings

combase.dll, xrefs: 006541DE
RoInitialize, xrefs: 006541D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 323d2fac500f80e0cdc16f73e37a606cf636208c2025c88a9add0bc7d80f8468
Instruction ID: 9b0fe91bced3e27d9ba7c4555ab4688c4a3e187b59f66cedd622d890e66a7f71
Opcode Fuzzy Hash: 323d2fac500f80e0cdc16f73e37a606cf636208c2025c88a9add0bc7d80f8468
Instruction Fuzzy Hash: 31E0E5B0690301AAEB209BB4EC49B753AA7AB20706F106528B822D56B0DEB554D5CF10

Function 0065429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006541B8), ref: 006542B8
GetProcAddress.KERNEL32(00000000), ref: 006542BF
EncodePointer.KERNEL32(00000000), ref: 006542CA
DecodePointer.KERNEL32(006541B8), ref: 006542E5

Strings

combase.dll, xrefs: 006542B3
RoUninitialize, xrefs: 006542A7

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2d873b465ae6de1e5a2caf61da29baeab3aeade60835a05f598f2b218d64de4d
Instruction ID: 957760363631703c0a2f26fcd7b498ee2b6559dc3fd2ac9e4ff84a87f67434cc
Opcode Fuzzy Hash: 2d873b465ae6de1e5a2caf61da29baeab3aeade60835a05f598f2b218d64de4d
Instruction Fuzzy Hash: C2E046B8580302ABEB10DF60EC4CB723AA7BB20746F102128F401E1AB0CFB066D4CB04

Function 0069675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006968AD
_memmove.LIBCMT ref: 006967E8

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

_memmove.LIBCMT ref: 0069685B
_memmove.LIBCMT ref: 00696942
_memmove.LIBCMT ref: 0069695B
_memmove.LIBCMT ref: 00696977

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction ID: adb6b2c65a9e9ea39da912474025575b74939d71154ee1e96a40310f6f71f70c
Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction Fuzzy Hash: B0619D3050065AABCF51EF64CC81FFE77AAAF05308F04451DF85A5B2D2DB749945CBA4

Function 006B046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 006B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B0038,?,?), ref: 006B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006B05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006B05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006B0617
RegCloseKey.ADVAPI32(00000000), ref: 006B0624

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 9c3cb630899d39be957e12ee81f4588a7992412ec84372eebd978cd3a8ea0328
Instruction ID: 2eb208b71617302e1df5cea6964d2de3117e638813b1003a83983609dd3c5d08
Opcode Fuzzy Hash: 9c3cb630899d39be957e12ee81f4588a7992412ec84372eebd978cd3a8ea0328
Instruction Fuzzy Hash: 41515AB1108200AFD754EF24C885EAFBBEAFF89314F04491DF545972A1DB31E945CB96

Function 006B5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006B5A82
GetMenuItemCount.USER32(00000000), ref: 006B5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006B5AE1
GetMenuItemID.USER32(?,?), ref: 006B5B50
GetSubMenu.USER32(?,?), ref: 006B5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 006B5BAF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7e72920a8e35f1ebdc4ac1a39bf7c3da72a5674bf971ef2f3680df66b3b7661b
Instruction ID: a5b6a5487cd4f634ab8c6537968e85e5700995bcd2c7f9ea85367b276afa8d0a
Opcode Fuzzy Hash: 7e72920a8e35f1ebdc4ac1a39bf7c3da72a5674bf971ef2f3680df66b3b7661b
Instruction Fuzzy Hash: BC517E75A00615AFCF51EF64C855AEEB7B6EF48320F104469ED06BB351CB70AE818B94

Function 0068F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0068F3F7
VariantClear.OLEAUT32(00000013), ref: 0068F469
VariantClear.OLEAUT32(00000000), ref: 0068F4C4
_memmove.LIBCMT ref: 0068F4EE
VariantClear.OLEAUT32(?), ref: 0068F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0068F569

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 82d5f7bfc522d6a2c10adf8e88e9965ce1cf1a67fe6c7b1d1321f85eb142c144
Instruction ID: 109846434c04b1595acd8657de50328b695bf347be48e26ba8a2e1598503b89f
Opcode Fuzzy Hash: 82d5f7bfc522d6a2c10adf8e88e9965ce1cf1a67fe6c7b1d1321f85eb142c144
Instruction Fuzzy Hash: 0E516AB5A00209EFCB10DF58D880AAAB7F9FF4C314B15866AED59DB311D730E951CBA0

Function 006926F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00692792
IsMenu.USER32(00000000), ref: 006927B2
CreatePopupMenu.USER32 ref: 006927E6
GetMenuItemCount.USER32(000000FF), ref: 00692844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00692875

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8532f2daaf040cf6c8e34c3bed1b3c536aaa4008ee65c525d419adbb37c18d9a
Instruction ID: b7d8df3892cf39bdb00b615138749d8c6924e7ee2e8aa513650a3c924fdac257
Opcode Fuzzy Hash: 8532f2daaf040cf6c8e34c3bed1b3c536aaa4008ee65c525d419adbb37c18d9a
Instruction Fuzzy Hash: 6C51B370900307FFDF24CF68DA98AEEBBFAAF44314F104669E4119B691D7709949CB51

Function 00631765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0063179A
GetWindowRect.USER32(?,?), ref: 006317FE
ScreenToClient.USER32(?,?), ref: 0063181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0063182C
EndPaint.USER32(?,?), ref: 00631876

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 5ccc45de4aa097ca9ee8bba9198d11dc134d9e0a79341b52f845c139b779294a
Instruction ID: e9c092bf564ab787dbdf4e399d825de0cf2ee344f6255ba12fe7ec52311619be
Opcode Fuzzy Hash: 5ccc45de4aa097ca9ee8bba9198d11dc134d9e0a79341b52f845c139b779294a
Instruction Fuzzy Hash: 40418D70504201AFD710DF28CC84BB67BEAEB4A764F14062DF9A58B2A1D7319885DBA1

Function 006BB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006F67B0,00000000,00C96C98,?,?,006F67B0,?,006BB862,?,?), ref: 006BB9CC
EnableWindow.USER32(00000000,00000000), ref: 006BB9F0
ShowWindow.USER32(006F67B0,00000000,00C96C98,?,?,006F67B0,?,006BB862,?,?), ref: 006BBA50
ShowWindow.USER32(00000000,00000004,?,006BB862,?,?), ref: 006BBA62
EnableWindow.USER32(00000000,00000001), ref: 006BBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006BBAA9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4bf34ca801321271bb92774a4c96f7e1817b4b7df0d691115eccbdb037ba1dc0
Instruction ID: 928120ec43633c613f67ea9f45b1c238075a99eb76bd81842268876d707412bf
Opcode Fuzzy Hash: 4bf34ca801321271bb92774a4c96f7e1817b4b7df0d691115eccbdb037ba1dc0
Instruction Fuzzy Hash: EB4150B0600241AFDB21DF14C899BD57BE2FF06310F1852B9FA488F2A2C7B1E885CB51

Function 006A73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006A5134,?,?,00000000,00000001), ref: 006A73BF

Part of subcall function 006A3C94: GetWindowRect.USER32(?,?), ref: 006A3CA7

GetDesktopWindow.USER32 ref: 006A73E9
GetWindowRect.USER32(00000000), ref: 006A73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006A7422

Part of subcall function 006954E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0069555E

GetCursorPos.USER32(?), ref: 006A744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006A74AC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: d9304f09ec62c1e49366c1bd54db12c85ed2f5c645247abe37321895efe5d75d
Instruction ID: 166bc586b38c1f94b687c720bb3fe33a5b4da973e1c51c764f9420d164ccc891
Opcode Fuzzy Hash: d9304f09ec62c1e49366c1bd54db12c85ed2f5c645247abe37321895efe5d75d
Instruction Fuzzy Hash: FA31B272508305ABD720EF54DC49E9BBBEAFF89314F004A29F58997191DA30ED49CB92

Function 00688D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006885F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00688608
Part of subcall function 006885F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00688612
Part of subcall function 006885F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00688621
Part of subcall function 006885F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00688628
Part of subcall function 006885F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0068863E

GetLengthSid.ADVAPI32(?,00000000,00688977), ref: 00688DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00688DB8
HeapAlloc.KERNEL32(00000000), ref: 00688DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00688DD8
GetProcessHeap.KERNEL32(00000000,00000000,00688977), ref: 00688DEC
HeapFree.KERNEL32(00000000), ref: 00688DF3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 67a6e440b6f24efd2bf177c655bb13f581fb9eeaa325150e77b0455328a020ac
Instruction ID: a70915fc832b5a6db1c88d23532b9e4c41b7672a1a54ee9689df6386de6c2f48
Opcode Fuzzy Hash: 67a6e440b6f24efd2bf177c655bb13f581fb9eeaa325150e77b0455328a020ac
Instruction Fuzzy Hash: 0B11BEB1540605FFDB10AFA8DC09BEEBBBBEF55315F504629E845A7261CB32A940CB60

Function 00688AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00688B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00688B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00688B40
CloseHandle.KERNEL32(00000004), ref: 00688B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00688B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00688B8E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 175bc7d25e74f5b82fa98c9b1fa975ce8a0573bcc2b39a1a09fabc04e2019787
Instruction ID: f0c00b194ff3f1c67fbf5a2da899666c1705525fb0e37b083d3caf3fb0355278
Opcode Fuzzy Hash: 175bc7d25e74f5b82fa98c9b1fa975ce8a0573bcc2b39a1a09fabc04e2019787
Instruction Fuzzy Hash: BE116DB250020DAFDF019FA8ED49FDE7BAAEF48304F045264FE04A2160C7718D60DB60

Function 006BC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0063134D
Part of subcall function 006312F3: SelectObject.GDI32(?,00000000), ref: 0063135C
Part of subcall function 006312F3: BeginPath.GDI32(?), ref: 00631373
Part of subcall function 006312F3: SelectObject.GDI32(?,00000000), ref: 0063139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006BC1C4
LineTo.GDI32(00000000,00000003,?), ref: 006BC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006BC1E6
LineTo.GDI32(00000000,00000000,?), ref: 006BC1F6
EndPath.GDI32(00000000), ref: 006BC206
StrokePath.GDI32(00000000), ref: 006BC216

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6aa4eb666ca843bb7e93201c5848ba75b6dbb8e1ca7c836b3ff36f14f50d3210
Instruction ID: b83498cd60c48e48d9a50ccb09923295ce9ab6f54301862574d14f3b0060abaf
Opcode Fuzzy Hash: 6aa4eb666ca843bb7e93201c5848ba75b6dbb8e1ca7c836b3ff36f14f50d3210
Instruction Fuzzy Hash: 38110CB640010CBFDB119F94DC48EEA7FAEEB04394F048125B9184A171C7729E95DBA0

Function 006503A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006503D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 006503DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006503E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006503F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006503F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00650401

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9b1a69acd4f65b840dab1f2ca80b09c29f2b57c093153a222535b242c739df95
Instruction ID: f9353672dd9d38b138cd1016c2ad23faf0b3e427b6bb0939865538421c147330
Opcode Fuzzy Hash: 9b1a69acd4f65b840dab1f2ca80b09c29f2b57c093153a222535b242c739df95
Instruction Fuzzy Hash: 57016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 0069568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0069569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006956B1
GetWindowThreadProcessId.USER32(?,?), ref: 006956C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006956CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006956D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006956E0

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ccfe0f3d67507379425a296f6d6928c644324313fd5bf3ff64c0f861dd08fd94
Instruction ID: 583b15497759d5114554e2d95017bb35912390fe929afb18dfa71d4395ba2c7f
Opcode Fuzzy Hash: ccfe0f3d67507379425a296f6d6928c644324313fd5bf3ff64c0f861dd08fd94
Instruction Fuzzy Hash: 4FF06D72641118BBE7215BA6AC0DEEB7B7DEBCAB11F000269FA00D1060EAA01A4187B5

Function 006974D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006974E5
EnterCriticalSection.KERNEL32(?,?,00641044,?,?), ref: 006974F6
TerminateThread.KERNEL32(00000000,000001F6,?,00641044,?,?), ref: 00697503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00641044,?,?), ref: 00697510

Part of subcall function 00696ED7: CloseHandle.KERNEL32(00000000,?,0069751D,?,00641044,?,?), ref: 00696EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00697523
LeaveCriticalSection.KERNEL32(?,?,00641044,?,?), ref: 0069752A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 2f6e2417d832eab816f115db944d03c31c55de9ab4bee840ad41c9a5596908ae
Instruction ID: b1f19a18a764f1e89e650146d911d46d2e959cf830b95108c84b9fa4c79536c1
Opcode Fuzzy Hash: 2f6e2417d832eab816f115db944d03c31c55de9ab4bee840ad41c9a5596908ae
Instruction Fuzzy Hash: F7F05EBA144612EBDF521BA4FC8C9EB772BEF45302B011632F202914B4CB755A81CB50

Function 00688E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00688E7F
UnloadUserProfile.USERENV(?,?), ref: 00688E8B
CloseHandle.KERNEL32(?), ref: 00688E94
CloseHandle.KERNEL32(?), ref: 00688E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00688EA5
HeapFree.KERNEL32(00000000), ref: 00688EAC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3cb3ab41599286b90b59aab622ba85f633d71c6a7798361eecf448d157b8712e
Instruction ID: 0a79e766fb97e173c3654943cc2e8eb29d317cd52e3f25416817d7f86aa00a14
Opcode Fuzzy Hash: 3cb3ab41599286b90b59aab622ba85f633d71c6a7798361eecf448d157b8712e
Instruction Fuzzy Hash: 5CE052B6104505FBDB011FE5EC0C95ABBAAFB89762B549731F21981470CB3294A1DB90

Function 00687A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006C2C7C,?), ref: 00687C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006C2C7C,?), ref: 00687C4A
CLSIDFromProgID.OLE32(?,?,00000000,006BFB80,000000FF,?,00000000,00000800,00000000,?,006C2C7C,?), ref: 00687C6F
_memcmp.LIBCMT ref: 00687C90

Strings

,,l, xrefs: 00687A85

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,l
API String ID: 314563124-3005423691
Opcode ID: f000dc7175866c12e8645236f6a9ef592dd9cde973309d95304a1bc814cccea8
Instruction ID: f257bc4ed0d34f37f38c179faacfb5499a50d0fda45e7d308dfa5254ccbfda2a
Opcode Fuzzy Hash: f000dc7175866c12e8645236f6a9ef592dd9cde973309d95304a1bc814cccea8
Instruction Fuzzy Hash: 80810D75A04109EFCB04DF94C984EEEB7BAFF89315F204198F515AB260DB71AE46CB60

Function 006A8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A8928
CharUpperBuffW.USER32(?,?), ref: 006A8A37
VariantClear.OLEAUT32(?), ref: 006A8BAF

Part of subcall function 00697804: VariantInit.OLEAUT32(00000000), ref: 00697844
Part of subcall function 00697804: VariantCopy.OLEAUT32(00000000,?), ref: 0069784D
Part of subcall function 00697804: VariantClear.OLEAUT32(00000000), ref: 00697859

Strings

Incorrect Parameter format, xrefs: 006A8960, 006A8B22
AUTOIT.ERROR, xrefs: 006A8A3D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 278eacc761b79e93fd5163ec91c52da90f798dab1253f475c8be00a6e77e043c
Instruction ID: 449dd6b3e968be08e6272120e61d34e492b5ea22a9cc626a99ff890cf442e7c9
Opcode Fuzzy Hash: 278eacc761b79e93fd5163ec91c52da90f798dab1253f475c8be00a6e77e043c
Instruction Fuzzy Hash: F4914B716083019FC750EF28C48495BBBE6AF89314F14496EF8968B361DB31ED45CFA2

Function 00692F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0064FEC6: _wcscpy.LIBCMT ref: 0064FEE9

_memset.LIBCMT ref: 00693077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006930A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00693159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00693187

Strings

0, xrefs: 00693063

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0432eadcd06ec8a61abddc985827d85249ad93db2ec9fb911fdeaf69168fcf9d
Instruction ID: 1f14d5b4d05bcd90e3137f02958c2b8d6c5c085f395d60d5946df596b7887df6
Opcode Fuzzy Hash: 0432eadcd06ec8a61abddc985827d85249ad93db2ec9fb911fdeaf69168fcf9d
Instruction Fuzzy Hash: 2651F3316083219BDB249F28D845AAB77EEEF55360F04092DF895D77A0DB70CE44C796

Function 00692C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00692CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00692D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006F6890,00000000), ref: 00692D5A

Strings

0, xrefs: 00692CA4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5d9284e9205aed6d1105112b06a9d815b476101dd967b4de97b1a9e0bed57e95
Instruction ID: cdb393a51584c44d3cf76f8ef06dfa7607987f97ebc6a5401abd294fbd1629c5
Opcode Fuzzy Hash: 5d9284e9205aed6d1105112b06a9d815b476101dd967b4de97b1a9e0bed57e95
Instruction Fuzzy Hash: E1419D71204302AFDB20DF24C855B5ABBEAEF85320F14462DF965973E1D770E908CBA6

Function 006ADAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006ADAD9

Part of subcall function 006379AB: _memmove.LIBCMT ref: 006379F9

Strings

winapi, xrefs: 006ADB4A
cdecl, xrefs: 006ADB30
stdcall, xrefs: 006ADB5B
none, xrefs: 006ADBB4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 16fc433db7b4b6b83b7d1bbbc9caa5021f1a1c89ac8c3a077f40c5b3bb9cce46
Instruction ID: 764e0a5e51ee68f8791467314e2e4a5c8807ea4b61d78f3d981b302ef8596984
Opcode Fuzzy Hash: 16fc433db7b4b6b83b7d1bbbc9caa5021f1a1c89ac8c3a077f40c5b3bb9cce46
Instruction Fuzzy Hash: F5316EB050061AABCF50EF54CC819EEB7B6FF05310F10862DA866977D1DB71AD05CB94

Function 00689372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006893F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00689409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00689439

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Strings

ComboBox, xrefs: 00689380
ListBox, xrefs: 006893B5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 1271ee84411d9b131db119dc268a91f328818b776b1c0b92e2fb668c5ea95c54
Instruction ID: a146d93a277fc6ca094cca3f5dc5bc3f1e810b4a778785a1d337a2fd620f10e0
Opcode Fuzzy Hash: 1271ee84411d9b131db119dc268a91f328818b776b1c0b92e2fb668c5ea95c54
Instruction Fuzzy Hash: D321A0B1900204ABDB14BB64DC868FEB7AADF45360F14422DF926972E1DB354A4AD760

Function 006A1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006A1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006A1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006A1B96
InternetCloseHandle.WININET(00000000), ref: 006A1BDD

Part of subcall function 006A2777: GetLastError.KERNEL32(?,?,006A1B0B,00000000,00000000,00000001), ref: 006A278C
Part of subcall function 006A2777: SetEvent.KERNEL32(?,?,006A1B0B,00000000,00000000,00000001), ref: 006A27A1

Strings

, xrefs: 006A1B87

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b82ea4427f67bdaa825363f83e710801e5ebc2bbe7ce008df2cf673719e8f003
Instruction ID: 4c0b20ef3f209c9da1706f2273d2fef5f9213ed53590f52f849343550b3e104c
Opcode Fuzzy Hash: b82ea4427f67bdaa825363f83e710801e5ebc2bbe7ce008df2cf673719e8f003
Instruction Fuzzy Hash: 3621CFB1500208BFEB11AF64DC85EBF76EEEB4B754F10416EF405AA250EA209E059B75

Function 006B6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00631D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00631D73
Part of subcall function 00631D35: GetStockObject.GDI32(00000011), ref: 00631D87
Part of subcall function 00631D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00631D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006B66D0
LoadLibraryW.KERNEL32(?), ref: 006B66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006B66EC
DestroyWindow.USER32(?), ref: 006B66F4

Strings

SysAnimate32, xrefs: 006B66AB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fba35358942241bbd0929027291ff22142afd80b90eb3db3e562b7b491e6115f
Instruction ID: aeac20fd9182e41c10806f888c3957b06c6e40375259f635a7b09c5b42494f45
Opcode Fuzzy Hash: fba35358942241bbd0929027291ff22142afd80b90eb3db3e562b7b491e6115f
Instruction Fuzzy Hash: 52219FB1100205ABEF104F64DC80EFB77AEEF59368F104629F910922A0E776CCD19765

Function 0069703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0069705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00697091
GetStdHandle.KERNEL32(0000000C), ref: 006970A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006970DD

Strings

nul, xrefs: 006970D8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3fac7ad40dff899d47edb84de868e78f927ce9b9bea15cf779081bcca241152e
Instruction ID: 724b802a372b3ce5c9fa9460bde5443f7d627ceeaf9dfbc8d34ce4a89e774055
Opcode Fuzzy Hash: 3fac7ad40dff899d47edb84de868e78f927ce9b9bea15cf779081bcca241152e
Instruction Fuzzy Hash: 86215EB4614309ABDF209F69DC05A9A7BAEBF44720F204A19FCA1D77D0E77099508B60

Function 0069710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0069712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0069715D
GetStdHandle.KERNEL32(000000F6), ref: 0069716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006971A8

Strings

nul, xrefs: 006971A3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c372f80e9140c78ea57ffe7a27cb68383726b1f230b9094e307cb5c055481ad3
Instruction ID: d4bd06ef61a38ec106fbf800400449226e5a99d634eb886e2d1894f1a20b0067
Opcode Fuzzy Hash: c372f80e9140c78ea57ffe7a27cb68383726b1f230b9094e307cb5c055481ad3
Instruction Fuzzy Hash: AC21B375614305ABDF209F68DC04AAAB7EEAF55720F240B19FCA0D37D0D770A981CB54

Function 0069AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0069AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0069AF13
__swprintf.LIBCMT ref: 0069AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,006BF910), ref: 0069AF6A

Strings

%lu, xrefs: 0069AF26

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 278bed8ec0bb106ff69e2f31679a5c79b591f4b58db5e36f478fd6bf01230b3d
Instruction ID: 40297739390b3f0d48903889150f6970bad1fe926a08004e9aaa1ee976759358
Opcode Fuzzy Hash: 278bed8ec0bb106ff69e2f31679a5c79b591f4b58db5e36f478fd6bf01230b3d
Instruction Fuzzy Hash: 34217474600209AFCB50EF54CD85DAE77F9EF49704B004069F905EB251DB71EA45CB61

Function 0068A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

Part of subcall function 0068A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0068A399
Part of subcall function 0068A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0068A3AC
Part of subcall function 0068A37C: GetCurrentThreadId.KERNEL32 ref: 0068A3B3
Part of subcall function 0068A37C: AttachThreadInput.USER32(00000000), ref: 0068A3BA

GetFocus.USER32 ref: 0068A554

Part of subcall function 0068A3C5: GetParent.USER32(?), ref: 0068A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0068A59D
EnumChildWindows.USER32(?,0068A615), ref: 0068A5C5
__swprintf.LIBCMT ref: 0068A5DF

Strings

%s%d, xrefs: 0068A5D9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 8d0c21b366f5299b83a8cc5a9bc708e4eb86623d305504420c700a81f295e03e
Instruction ID: f286b31a8486ce3b730b9c94b269d01a419e92397ea8a474e655ffca0a7ccd9c
Opcode Fuzzy Hash: 8d0c21b366f5299b83a8cc5a9bc708e4eb86623d305504420c700a81f295e03e
Instruction Fuzzy Hash: F511D6B1200209BBEF517FB4DC85FEA37BE9F48700F04417AFE08AA152DA7159858B79

Function 00692017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00692048

Strings

EXISTS, xrefs: 00692070
APPEND, xrefs: 00692081
KEYS, xrefs: 0069205F
REMOVE, xrefs: 0069204E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ee6814f9dbd0a6107562149ed54157f90bf0716872ac16b0256942a120d768e0
Instruction ID: 69709ff7c1964afded74ee3abb2bbe264d9c0f2d5be667743e2184f2c7bf6cfd
Opcode Fuzzy Hash: ee6814f9dbd0a6107562149ed54157f90bf0716872ac16b0256942a120d768e0
Instruction Fuzzy Hash: 5C115B3490020ADFCF90EFA4D9514EEBBB6FF15304F108568D855A7352EB32A91ACB50

Function 006AEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006AEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006AEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006AF07E
CloseHandle.KERNEL32(?), ref: 006AF0FF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 1efe137a555a256b0e83d7bb388f3cbebe8eb794d3522ebb66db7b7f3521c0be
Instruction ID: c7b34b47fe77b0f134ff5c05046c9eaf8c8cb4cd66121985ea5864151d885180
Opcode Fuzzy Hash: 1efe137a555a256b0e83d7bb388f3cbebe8eb794d3522ebb66db7b7f3521c0be
Instruction Fuzzy Hash: 27815F716043009FD760EF28C846B6AB7E6AF48710F14891DF595DB392DBB1AC418F95

Function 0065564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006556AB
_memcpy_s.LIBCMT ref: 0065571D
__read_nolock.LIBCMT ref: 0065577B
__filbuf.LIBCMT ref: 0065579E
_memset.LIBCMT ref: 006557E2

Part of subcall function 00658D68: __getptd_noexit.LIBCMT ref: 00658D68

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: 2254430f1c6ef55012c00c88b089f315c3e7b0ab5b0555b2d7494396150837ca
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: EA51A630A00B05DBDB248F69C8A85AE77B7AF45322F248729FC27967E0D7709D598B40

Function 006B02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 006B10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006B0038,?,?), ref: 006B10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006B0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006B03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006B040E
RegCloseKey.ADVAPI32(?,?), ref: 006B043A
RegCloseKey.ADVAPI32(00000000), ref: 006B0447

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 637ea794a510d486d52258518cc45bb249c04981258e69a507a75a49218ce285
Instruction ID: ca022e7070a4ab4b401b7c6f8b4f54e80578565ec60d28d203979aa7e7fd079b
Opcode Fuzzy Hash: 637ea794a510d486d52258518cc45bb249c04981258e69a507a75a49218ce285
Instruction Fuzzy Hash: 36517CB1208205AFD744EF54CC81EAFBBEAFF84304F04892DB596872A1DB30E945CB56

Function 006ADBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006ADC3B
GetProcAddress.KERNEL32(00000000,?), ref: 006ADCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 006ADCDA
GetProcAddress.KERNEL32(00000000,?), ref: 006ADD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006ADD35

Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00697B20,?,?,00000000), ref: 00635B8C
Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00697B20,?,?,00000000,?,?), ref: 00635BB0

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8ad5e3ae13b22033c16b0aa5495be61e9e1a6f9959d8aadce96d4d72174dfb17
Instruction ID: 0d7692969081101bc8f6139fe8100661db913f7bee4e9015d913543332f88ef8
Opcode Fuzzy Hash: 8ad5e3ae13b22033c16b0aa5495be61e9e1a6f9959d8aadce96d4d72174dfb17
Instruction Fuzzy Hash: 4E512975A00205DFCB00EF68C8849ADB7FAFF59324B148169E816AB361DB70ED45CF95

Function 0069E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0069E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0069E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0069E8F2

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0069E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0069E91F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 26c2ebcdb68ebd1be9af23e36e07f4eb27a68b6815dff50ebcc43ad07567355c
Instruction ID: fc0cf398ce2b57aaccb4dd07e3107def5a122631deed5328b57ee91cb81cfe62
Opcode Fuzzy Hash: 26c2ebcdb68ebd1be9af23e36e07f4eb27a68b6815dff50ebcc43ad07567355c
Instruction Fuzzy Hash: A551FA35A00205DFCF41EF64C981AADBBF6EF08310F1480A9E849AB361DB71AD51DFA4

Function 006BA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c30ce04a4c287981c7eb97adf5fcba63808032d1310b6d616919aa97c4ed2259
Instruction ID: 6d3f84b7a98e526b17895906f14335a8ee33acd083993eeca13a4325c8060115
Opcode Fuzzy Hash: c30ce04a4c287981c7eb97adf5fcba63808032d1310b6d616919aa97c4ed2259
Instruction Fuzzy Hash: 7241D0B5900214ABC720DFA8CC48FE9BBE6EB09310F144265F955E72E1DB70AEC1DB61

Function 00632344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00632357
ScreenToClient.USER32(006F67B0,?), ref: 00632374
GetAsyncKeyState.USER32(00000001), ref: 00632399
GetAsyncKeyState.USER32(00000002), ref: 006323A7

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ca43951c375e85556ac1771b9dccfc3a0603a118c94278e9723569211e79ab44
Instruction ID: 6b2b49cd03dfadaf6e3ef24c6ff70bc9d317c4a8f4f59e3a6f8b575c8461bfe0
Opcode Fuzzy Hash: ca43951c375e85556ac1771b9dccfc3a0603a118c94278e9723569211e79ab44
Instruction Fuzzy Hash: E341817150451AFBDF159F68C854AEDBBB6FF05320F20431AF869922A0C7345E94DBD1

Function 00686920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068695D
TranslateAcceleratorW.USER32(?,?,?), ref: 006869A9
TranslateMessage.USER32(?), ref: 006869D2
DispatchMessageW.USER32(?), ref: 006869DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006869EB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ae938c1a12bfa4ba377c6222d926ba339323100270804c46e5c2562a96ac2392
Instruction ID: 7bf442d86bd1dbfcf9893bdcf39cfb5e41c517b7cffbc02d34fe17f20067aa88
Opcode Fuzzy Hash: ae938c1a12bfa4ba377c6222d926ba339323100270804c46e5c2562a96ac2392
Instruction Fuzzy Hash: 0E31CF71904257AADF64EF74DC44BF6BBABAB01304F10436AF421D22A1E7749886DBA0

Function 00688F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00688F12
PostMessageW.USER32(?,00000201,00000001), ref: 00688FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00688FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00688FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00688FDA

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 38742e2a91d1ba9a017fdb318a6399e7e39cbbf1c26ff2b1f040be57796e564b
Instruction ID: 917f480c8164905189e12b21693df2990e8f3932428c7da254edb9a256d9bf2d
Opcode Fuzzy Hash: 38742e2a91d1ba9a017fdb318a6399e7e39cbbf1c26ff2b1f040be57796e564b
Instruction Fuzzy Hash: 4231CDB1500219EFDB10DF68DD48ADE7BB6EB04315F108329FA24AB2E1CBB09950CB90

Function 0068B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0068B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0068B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0068B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0068B742
_wcsstr.LIBCMT ref: 0068B74C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 266d5600817855d9258dfd1b0283b92b200d2d2ef5e6be40042fab4cbc9c6e0e
Instruction ID: b832a87b12d3d4b38fe6b3a24fffe0da3658ad6a2a859cacf30767d529ee0fcb
Opcode Fuzzy Hash: 266d5600817855d9258dfd1b0283b92b200d2d2ef5e6be40042fab4cbc9c6e0e
Instruction Fuzzy Hash: 6A210A71204204BBEB256B399C49E7B7BAADF46720F10512DFD05CA2A1FF61DC819350

Function 006BB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

GetWindowLongW.USER32(?,000000F0), ref: 006BB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006BB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006BB489
GetSystemMetrics.USER32(00000004), ref: 006BB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006A1184,00000000), ref: 006BB4D0

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6057b8370d9816b708c8c449b18609e6e56063ba28d356c2a3ceca553249a61d
Instruction ID: 8e69c8bd541366e85a687754ced690dfb742c4c2230e673def2429b5e0b7fb2d
Opcode Fuzzy Hash: 6057b8370d9816b708c8c449b18609e6e56063ba28d356c2a3ceca553249a61d
Instruction Fuzzy Hash: 7A2162B1510255AFCB209F38DC04AEA37E6FB05720F145738F926D62E6E7709991DB90

Function 006897E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00689802

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00689834
__itow.LIBCMT ref: 0068984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00689874
__itow.LIBCMT ref: 00689885

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: f33edab7f7f957c18f712b1f66a91ad0efc2545c1b93a7f1b87afc664b503368
Instruction ID: 7c420f8c97a276d2fc024b0f791675d8c81e06c8dad7d10531d17dc41f2982e3
Opcode Fuzzy Hash: f33edab7f7f957c18f712b1f66a91ad0efc2545c1b93a7f1b87afc664b503368
Instruction Fuzzy Hash: FD21CBB1B00205ABDB20AB658C86EFE7BBBDF4A710F080129FD04D7251D6718D4587E1

Function 006312F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0063134D
SelectObject.GDI32(?,00000000), ref: 0063135C
BeginPath.GDI32(?), ref: 00631373
SelectObject.GDI32(?,00000000), ref: 0063139C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a8eda545f0401390689f2198fc5528ba7d3d052e01249bf793bb27b83556caf7
Instruction ID: 2ea4a67a801ac47ef22a8bef27d8fb442f2931e864b11e155089014740cbc1bd
Opcode Fuzzy Hash: a8eda545f0401390689f2198fc5528ba7d3d052e01249bf793bb27b83556caf7
Instruction Fuzzy Hash: 3B213070914308EFEB119F25DC047B97BBBFB06361F14522AF8209B2B0D7719995DBA0

Function 0068C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0068C176
_memcmp.LIBCMT ref: 0068C194
_memcmp.LIBCMT ref: 0068C1A7
_memcmp.LIBCMT ref: 0068C1BF
_memcmp.LIBCMT ref: 0068C1D7

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9bbf26d4da308ca91b0c5b41ee2f7608c4f3e47badcb009f946d095261b86149
Instruction ID: 0bd4f0906cf7f17c62b701ba496b4bcac361bb28bd475f5e50c9560dee8e6db1
Opcode Fuzzy Hash: 9bbf26d4da308ca91b0c5b41ee2f7608c4f3e47badcb009f946d095261b86149
Instruction Fuzzy Hash: AA0192A16442067BE604B6205CD6FBB635FDB223A8F444229FD449A383E670AE1583F4

Function 00694D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00694D5C
__beginthreadex.LIBCMT ref: 00694D7A
MessageBoxW.USER32(?,?,?,?), ref: 00694D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00694DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00694DAC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0232289ccf149bd4bc084477f2df8d1ad28f1150356523157044464bbf178abe
Instruction ID: 2ece93374fd9a62e3d5f9fd5997fa2d435277c8c33e9ab315d937f5ac2da933f
Opcode Fuzzy Hash: 0232289ccf149bd4bc084477f2df8d1ad28f1150356523157044464bbf178abe
Instruction Fuzzy Hash: 4C1108B6904204BBCB019BA8DC04EEA7FAEEB45321F144365F914D3361DA718D4487A0

Function 0068874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00688766
GetLastError.KERNEL32(?,0068822A,?,?,?), ref: 00688770
GetProcessHeap.KERNEL32(00000008,?,?,0068822A,?,?,?), ref: 0068877F
HeapAlloc.KERNEL32(00000000,?,0068822A,?,?,?), ref: 00688786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0068879D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: dc35de88b5cee56bac5305051c25a6a8ef8314e46f6d192c5ead62f15915c9fe
Instruction ID: e2a748e24676784b174a2de25a6dfdf06dccca2d6209dbf5ff7babbf56c0931b
Opcode Fuzzy Hash: dc35de88b5cee56bac5305051c25a6a8ef8314e46f6d192c5ead62f15915c9fe
Instruction Fuzzy Hash: 73014FB1200204EFDB105FA9DC48DAB7BBEEF853957600629F849D3260DA31CC40CB60

Function 006954E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00695502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00695510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00695518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00695522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0069555E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0d792bf7b90821cbd7ac1c03783709740b856703ff4e58d8eb59bd754cbe88d2
Instruction ID: 8381007749ee3522da9d82396fb9bd625278326259052b0e4b2e9c522efc44be
Opcode Fuzzy Hash: 0d792bf7b90821cbd7ac1c03783709740b856703ff4e58d8eb59bd754cbe88d2
Instruction Fuzzy Hash: F3011B75D01A19DBCF01DFE8EC885EDBB7ABB09711F010596E902F2651DB309A94C7A1

Function 00687652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?,?,0068799D), ref: 0068766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?), ref: 0068768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?), ref: 00687698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?), ref: 006876A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0068758C,80070057,?,?), ref: 006876B4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4bd79667e206cfbb4b08a8a3cc38980fda49ecf6a058d5dbe7215b5bf415b9d1
Instruction ID: bb63452b6244d63be56a772864502eba1a754e310636539e15dca9e16e26ad1f
Opcode Fuzzy Hash: 4bd79667e206cfbb4b08a8a3cc38980fda49ecf6a058d5dbe7215b5bf415b9d1
Instruction Fuzzy Hash: 0E0184B2605614BBDB10AF58DC44BAA7BBEEB44751F240228FD04D2221F731DE8197A0

Function 006885F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00688608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00688612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00688621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00688628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0068863E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 21593a2ac9a3724e2966cde370fd3d2e1d4281b0dd2dafb8373497906d0f668d
Instruction ID: 7633ba6807e88d6d26c57685fba0282ddcb5f39c78bda01cda3fb447a66b52c3
Opcode Fuzzy Hash: 21593a2ac9a3724e2966cde370fd3d2e1d4281b0dd2dafb8373497906d0f668d
Instruction Fuzzy Hash: 32F044B1201204BFD7201FA9DC99EAB3BAEEF85754B440625F545C7260DB619CC1DB60

Function 00688652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00688669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00688673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00688689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0068869F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b1304b91d643d04b2988bc1237759e3cf4e8ccbb46e756786ab814854651e85a
Instruction ID: 8e2cd63d2e47fac25363ef8e0d065b4bd27907549b3af85e4536075a503b4ef3
Opcode Fuzzy Hash: b1304b91d643d04b2988bc1237759e3cf4e8ccbb46e756786ab814854651e85a
Instruction Fuzzy Hash: 7CF04FB1200214BFEB112FA9EC88EA73BAEEF89754B500625F945D7260DA619D81DB60

Function 0068C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0068C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0068C6D1
MessageBeep.USER32(00000000), ref: 0068C6E9
KillTimer.USER32(?,0000040A), ref: 0068C705
EndDialog.USER32(?,00000001), ref: 0068C71F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 314653db4c77892c22ffc4b7a2130750d73d8704f42e55a7952d3a95919c3d21
Instruction ID: 0f534ac00c7ca4e50831485a50ad72c339e4a99706c7f23ec71c5c5d0979f28d
Opcode Fuzzy Hash: 314653db4c77892c22ffc4b7a2130750d73d8704f42e55a7952d3a95919c3d21
Instruction Fuzzy Hash: EC01A270400304ABEB206B20DC8EF9677BAFF04701F001769F542A10F0EBF1A9948F90

Function 006313B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006313BF
StrokeAndFillPath.GDI32(?,?,0066BAD8,00000000,?), ref: 006313DB
SelectObject.GDI32(?,00000000), ref: 006313EE
DeleteObject.GDI32 ref: 00631401
StrokePath.GDI32(?), ref: 0063141C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 10268cfe03f5d46ac9f63a87afe6a7aaf3c556c150f67f632ad6146056ea40a5
Instruction ID: 40f681fc7af0782121bb6bbf89105427ab88a32223faf6b675d6fd38617dccb3
Opcode Fuzzy Hash: 10268cfe03f5d46ac9f63a87afe6a7aaf3c556c150f67f632ad6146056ea40a5
Instruction Fuzzy Hash: EEF0C971014208EBDB115F2AEC0C7A83BA7AB02366F04A228F429491F1C73289A5DF70

Function 00642E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00650FF6: std::exception::exception.LIBCMT ref: 0065102C
Part of subcall function 00650FF6: __CxxThrowException@8.LIBCMT ref: 00651041

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 00637BB1: _memmove.LIBCMT ref: 00637C0B

__swprintf.LIBCMT ref: 0064302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00642EC6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 796e95236d72e12ae6d9b69af7023ca40d30e6f0177fb6edd3c49a299d5bd148
Instruction ID: 40fc46faae5a31dc9c0391bb9e45b0d80d90cbfafef223b63ca564e0cce9b76c
Opcode Fuzzy Hash: 796e95236d72e12ae6d9b69af7023ca40d30e6f0177fb6edd3c49a299d5bd148
Instruction Fuzzy Hash: 59918D711087119FC768EF24D885CAEB7B6EF85750F04491DF8869B3A1DA20EE48CB96

Function 0068B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0068B981

Strings

AutoIt3GUI, xrefs: 0068B8F9
Container, xrefs: 0068B8FE
%l, xrefs: 0068BA24

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%l
API String ID: 3565006973-3060131109
Opcode ID: e99af2518e32e49de01b42f0a392e8e85861accb614b2ac2d11ea0d7202501c6
Instruction ID: d1f31cf807542e04e166a0570414ede27b32eb4741a78e6507cdb8cfcc916e32
Opcode Fuzzy Hash: e99af2518e32e49de01b42f0a392e8e85861accb614b2ac2d11ea0d7202501c6
Instruction Fuzzy Hash: 3E914B706006019FDB64DF25C884A6ABBFAFF49710F14966DF94ACB391DB70E841CB60

Function 0065524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006552DD

Part of subcall function 00660340: __87except.LIBCMT ref: 0066037B

Strings

pow, xrefs: 006552B5, 006552D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: dc9457eb212027f9d530df3be5ec874c4fcde75ae3880e3e309b5e38e3c5e0e8
Instruction ID: 33ef34fe566422f1cdfbfb52a83ece80cadd172c4cd373177ff0fbe6aef56d2b
Opcode Fuzzy Hash: dc9457eb212027f9d530df3be5ec874c4fcde75ae3880e3e309b5e38e3c5e0e8
Instruction Fuzzy Hash: 8B516A21A08602D7E7216714C9693BB2BD39B00352F204979E89A823E5FF748DDC9B46

Function 0065023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00650277
#, xrefs: 00650280

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 1e58d6d5eb80f17390667ad7de84b836a5647837b83e14abc68b9aae47dc0d25
Instruction ID: 37be5cffdc0946089b86e941cb471e25a3b96b871229a75506d632c28f62a184
Opcode Fuzzy Hash: 1e58d6d5eb80f17390667ad7de84b836a5647837b83e14abc68b9aae47dc0d25
Instruction Fuzzy Hash: 165131755046469FDF25AF28C888AFA7BB6EF19310F144155EC929B3A0D730DC4ACB64

Function 00643297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006433D7
_memmove.LIBCMT ref: 00643470
_free.LIBCMT ref: 00643496
_memmove.LIBCMT ref: 00643549

Strings

Oad, xrefs: 00643482

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove$_free
String ID: Oad
API String ID: 2620147621-2998856776
Opcode ID: 2d8b4defa98cff1e555028369a849e89ff5f8644ae54a064a0b9b404cf603d4f
Instruction ID: b98d98b96050f2e443e929d664fc63d1fd46d4d7e7b729ef057769db43166f76
Opcode Fuzzy Hash: 2d8b4defa98cff1e555028369a849e89ff5f8644ae54a064a0b9b404cf603d4f
Instruction Fuzzy Hash: B3517B716083519FDB28CF28C441B6BBBE6BF85314F14892DE899C7351DB31EA01CB82

Function 006462F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006463A8
_memmove.LIBCMT ref: 00646446
_memset.LIBCMT ref: 0064646A

Strings

ERCP, xrefs: 00646313

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 80fba928dbe2e9b24f5a689fd9e9b55108c4396f513b89b2f9f2ae8380b793e7
Instruction ID: c724bf7f8586c5f5239000a7486e3111f644b6f61a92b76ec0075a8f23453155
Opcode Fuzzy Hash: 80fba928dbe2e9b24f5a689fd9e9b55108c4396f513b89b2f9f2ae8380b793e7
Instruction Fuzzy Hash: 4851C271900309DBDB24DF65C8857EBBBFAEF05714F20856EEA8ACB241E7709685CB41

Function 006B7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006B76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006B76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 006B7708

Strings

SysMonthCal32, xrefs: 006B769B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a5a705ccbebfc8ad1bc5ccf6553925d8f5b7a1c6b5d80e02c7b315085dce7197
Instruction ID: f363d23a7bd987a9ddfac03d33c3cd9890b3236ccdabd87a53e0520e8450f92a
Opcode Fuzzy Hash: a5a705ccbebfc8ad1bc5ccf6553925d8f5b7a1c6b5d80e02c7b315085dce7197
Instruction Fuzzy Hash: 3521A172514219BBDF11CF64CC46FEA3B6AEF89714F110214FE156B2E0DAB1AC918BA0

Function 006B6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006B6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006B6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006B6FDF

Strings

Listbox, xrefs: 006B6F77

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 16db74c9a6dff2c492a2b7d047a9c0c4024ce4043cfc973be399948e656376d1
Instruction ID: adc2cd2a2af2d280ccbee817dda82652fb3c0533af8d383ed44b315682bd4892
Opcode Fuzzy Hash: 16db74c9a6dff2c492a2b7d047a9c0c4024ce4043cfc973be399948e656376d1
Instruction Fuzzy Hash: 16217F72611118ABDF118F54DC85EFB37AFEF89754F018124F9149B2A0CA75AC92CBA0

Function 006B797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006B79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006B79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006B7A03

Strings

msctls_trackbar32, xrefs: 006B79B8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 993ab8bc6872dfabf96a7ec3d07b9d04d5702ecaa94e0a3cbda033b56989a696
Instruction ID: 57b0cfdca90aac3b444cefe387fd05a92fd08c3b75f5c2ebe69cf7ea8730dc59
Opcode Fuzzy Hash: 993ab8bc6872dfabf96a7ec3d07b9d04d5702ecaa94e0a3cbda033b56989a696
Instruction Fuzzy Hash: 6411E3B2244208BAEF109F60CC05FEB77AAEFC9B64F02051DFA41A61A0D2719891DB60

Function 00634C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00634C2E), ref: 00634CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00634CB5

Strings

GetNativeSystemInfo, xrefs: 00634CAF
kernel32.dll, xrefs: 00634C9E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 5af2863d95c71166cfd7ce3eb16c0996aeb9fa0eb8d3dced0e9ce8efe93f9bfe
Instruction ID: 2401339c3caea7733fff730d42c855491d3480039cccc079c170eda6007a361b
Opcode Fuzzy Hash: 5af2863d95c71166cfd7ce3eb16c0996aeb9fa0eb8d3dced0e9ce8efe93f9bfe
Instruction Fuzzy Hash: 95D012B0510723CFD7245F39DE18686B6D7AF05751F11DC39D895D6260DA70D4C0C750

Function 00634D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00634D2E,?,00634F4F,?,006F62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00634D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00634D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00634D7B
kernel32.dll, xrefs: 00634D6A

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 33e4af2b96121b6b90872028b1c0bf53eb22806629af23697c075ba23550245b
Instruction ID: 6f6d0a06b78e5ed088f394f7140252e2e038b13ec71b03bd9fb62d9ff503f57e
Opcode Fuzzy Hash: 33e4af2b96121b6b90872028b1c0bf53eb22806629af23697c075ba23550245b
Instruction Fuzzy Hash: BED017B0510723CFD7209F39DC08696B6EAAF15352F12DD3AD496D6260EA70E8C0CA90

Function 00634D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00634CE1,?), ref: 00634DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00634DB4

Strings

kernel32.dll, xrefs: 00634D9D
Wow64RevertWow64FsRedirection, xrefs: 00634DAE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 1784e30b21db3c11f8712cffad9436360625e737dad12040ff4b4fc3bce57afd
Instruction ID: 9821eee2f5a7bbb520ba0aa2090e2304cd8a903634fda9468a31b6d7cad1780b
Opcode Fuzzy Hash: 1784e30b21db3c11f8712cffad9436360625e737dad12040ff4b4fc3bce57afd
Instruction Fuzzy Hash: A8D0E2B1550722CFD7209B39DC08A86B6EAAF05355B12883AD896D6260EB70E8C08A90

Function 006B1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006B12C1), ref: 006B1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006B1092

Strings

RegDeleteKeyExW, xrefs: 006B108C
advapi32.dll, xrefs: 006B107B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 538c5022da20b33b66c9edfe995cecbc202730746ad5b6993fc75902dfa77a64
Instruction ID: 6e3762a2b57509709028ca2ea87338785bcda092ac46ef8ad03a72042abd8624
Opcode Fuzzy Hash: 538c5022da20b33b66c9edfe995cecbc202730746ad5b6993fc75902dfa77a64
Instruction Fuzzy Hash: 7FD012B0510753DFD7205F79DC285AB76E6AF05391B11DD39E495DA260DB70C4C0C750

Function 006A93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,006A9009,?,006BF910), ref: 006A9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006A9415

Strings

GetModuleHandleExW, xrefs: 006A940F
kernel32.dll, xrefs: 006A93FE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e2a4135d207d6ac7ec544cd34a3a0693d59b79bdb6a21b01a8514df31718376f
Instruction ID: a4e98774296e8bcff8b6d36696daa4bafc0cefd4c89309dbead9cfc8893f6bdb
Opcode Fuzzy Hash: e2a4135d207d6ac7ec544cd34a3a0693d59b79bdb6a21b01a8514df31718376f
Instruction Fuzzy Hash: 46D01274510713CFD7205F75DD0854676D7AF06751B21CC39D495D6660D670D8C0CB60

Function 00671B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00671B42
__swprintf.LIBCMT ref: 00671B73

Strings

WIN_XPe, xrefs: 00671BB2
%.3d, xrefs: 00671B4D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 80e5605126338a8fabbc67071275251f1521cab5ea59f36d99d82a7ab65cffa5
Instruction ID: 347bfddf3b10ee8d2c153fc11074d6ba2c633400b7adba939b2569e38ff4e8bb
Opcode Fuzzy Hash: 80e5605126338a8fabbc67071275251f1521cab5ea59f36d99d82a7ab65cffa5
Instruction Fuzzy Hash: 9ED012B1804158EACB559B948C848F9737EAB05B11F104593B90AA6000F2349B869B25

Function 006876C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777279fb45a6e54ed7cbbbb81ea45b38e96adcf38773e55c28c6add709ea7550
Instruction ID: c806d39de3ebf6ff459a29c727ea02e72d1524f54b098fa3be5cb28b5e1b0389
Opcode Fuzzy Hash: 777279fb45a6e54ed7cbbbb81ea45b38e96adcf38773e55c28c6add709ea7550
Instruction Fuzzy Hash: 9DC14D75A04216EFCB14DF94C884EAEBBB6FF48714B258699E805EB351D730DD81CB90

Function 006AE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 006AE3D2
CharLowerBuffW.USER32(?,?), ref: 006AE415

Part of subcall function 006ADAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006ADAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006AE615
_memmove.LIBCMT ref: 006AE628

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 86ecfbbc63115c848f433c1f8b6a7ecc2e650a94f2b18fe1582e47bfbb7131ea
Instruction ID: 97248aefd30566f5d1ac5327904d38f192d562d9db2250fb8e86d5237f227bf8
Opcode Fuzzy Hash: 86ecfbbc63115c848f433c1f8b6a7ecc2e650a94f2b18fe1582e47bfbb7131ea
Instruction Fuzzy Hash: 9BC12571A083019FC754EF28C48095ABBE6EF89714F14896EF8999B351D732ED46CF82

Function 006A83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006A83D8
CoUninitialize.OLE32 ref: 006A83E3

Part of subcall function 0068DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DAC5

VariantInit.OLEAUT32(?), ref: 006A83EE
VariantClear.OLEAUT32(?), ref: 006A86BF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 11260013a5810bb41e12adcf92d805badd1eb28222e1746a7597575181efa7ee
Instruction ID: 8d5bb7dc97e53b1e7cc6336599dda55f8350d7b935933649b886a475ca12aa6d
Opcode Fuzzy Hash: 11260013a5810bb41e12adcf92d805badd1eb28222e1746a7597575181efa7ee
Instruction Fuzzy Hash: 5BA124756047019FDB50EF14C881A6AB7E6BF89314F18454CF99A9B3A2CB70ED04CF96

Function 00686DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00686E04
SysAllocString.OLEAUT32(00000000), ref: 00686EAD
VariantCopy.OLEAUT32 ref: 00686EDC
VariantClear.OLEAUT32(?), ref: 00686F03

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c5e98ef39cac80a2bc6ddbce3f1734a9c064f1a61673ab6e722cdb0f188b52b6
Instruction ID: 8a3006ca593fa57e9623666e69291096ec218da9a22ba467f31c1e05d63691a5
Opcode Fuzzy Hash: c5e98ef39cac80a2bc6ddbce3f1734a9c064f1a61673ab6e722cdb0f188b52b6
Instruction Fuzzy Hash: 7351C6706083059BDB60BF69D895A6EB3E7AF48310F30991FF656CB291DB70D880DB25

Function 006B9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C9F7D0,?), ref: 006B9AD2
ScreenToClient.USER32(00000002,00000002), ref: 006B9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006B9B72

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f138d5a197dad389c0d5cce001792c6336e2202b61acab400fef8dbf56e3ec5d
Instruction ID: c6c9dd46680fe1b61a907ce65a3a26a5aef11d65fdfe1fa4c6fbe29a06f09578
Opcode Fuzzy Hash: f138d5a197dad389c0d5cce001792c6336e2202b61acab400fef8dbf56e3ec5d
Instruction Fuzzy Hash: 91512D74A00609AFCF14DF68D8819EE7BB6FF55360F108659F9259B3A1D730AD81CBA0

Function 006A6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006A6CE4
WSAGetLastError.WSOCK32(00000000), ref: 006A6CF4

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006A6D58
WSAGetLastError.WSOCK32(00000000), ref: 006A6D64

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 32eed8e1135d6f115114836f53a3e55b433151ae2c66144a28bd19313c6669a9
Instruction ID: 45619cde0fbcc7ee88e56ca6bc3c57b63a22397f1292f0be44f88fe458dd6d68
Opcode Fuzzy Hash: 32eed8e1135d6f115114836f53a3e55b433151ae2c66144a28bd19313c6669a9
Instruction Fuzzy Hash: C2419174740200AFEB60BF24DC86F7A77E6AF05B10F44815CFA59AB3D2DAB59D008B95

Function 006A672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006BF910), ref: 006A67BA
_strlen.LIBCMT ref: 006A67EC

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 88bb6c20fa38f603c334823af2dd978995e640cda407f6113269a1fc297955f3
Instruction ID: 8d4c01b066733c85b8bc4a95e10d776d015a350e397879f05b10c3186632d064
Opcode Fuzzy Hash: 88bb6c20fa38f603c334823af2dd978995e640cda407f6113269a1fc297955f3
Instruction Fuzzy Hash: EA41D375A00104ABCB54FB64DCC5EAEB3AFAF45314F188169F8169B292DB70AD44CBA4

Function 0069BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0069BB09
GetLastError.KERNEL32(?,00000000), ref: 0069BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0069BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0069BB80

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b81fffbab9bf5be94c10af473f1a58b99378df4c69377526e5a799ee4c4ad767
Instruction ID: 6acf77d5c983c0b79c14c9b17c29354f9af83bd11504ca454cb036acf387663c
Opcode Fuzzy Hash: b81fffbab9bf5be94c10af473f1a58b99378df4c69377526e5a799ee4c4ad767
Instruction Fuzzy Hash: D8411639200610DFCF10EF19C984A59BBE6EF49314F099498E84A9B7A2CB74FD41DFA5

Function 006B8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006B8B4D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ca68206edfd0c16d8b6591927f69319dd97f063575e31a973edd06ba4e8ec781
Instruction ID: f7c6ed5ca90ad3a591f4a9ddba9c5c7e502a2699f7f22eacb2fb159dc2ddaba2
Opcode Fuzzy Hash: ca68206edfd0c16d8b6591927f69319dd97f063575e31a973edd06ba4e8ec781
Instruction Fuzzy Hash: D13181F4650208BEEB249F28CC95FE977ABEB09311F244616FA51D73A1DE30A9C0DB51

Function 006BADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006BAE1A
GetWindowRect.USER32(?,?), ref: 006BAE90
PtInRect.USER32(?,?,006BC304), ref: 006BAEA0
MessageBeep.USER32(00000000), ref: 006BAF11

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5671f7f22ddd3028388d30f1fee1f0f44a425f50b1d9fd85186f89a6eaa39109
Instruction ID: 6aa4afd08558639568732efa8dae759a61a28fa2f7a6306bcfb6cd2ea5cb26e0
Opcode Fuzzy Hash: 5671f7f22ddd3028388d30f1fee1f0f44a425f50b1d9fd85186f89a6eaa39109
Instruction Fuzzy Hash: A1414EB0600115DFCB11DF98C885AE9BBF7FF89350F1481A9E8559B361D730E982DB52

Function 00690FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00691037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00691053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006910B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0069110B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b29a88601f4c0e4812206c8cd242d531d0fd9eab0ba433fb760d0a6ed03561b5
Instruction ID: c052e527659f2887a0e06faaad38e04de4e85255a2747c74aa7a65facea91db0
Opcode Fuzzy Hash: b29a88601f4c0e4812206c8cd242d531d0fd9eab0ba433fb760d0a6ed03561b5
Instruction Fuzzy Hash: A1318230E40649AEFF308B658C057FDBBAFAB46310F24431AF5815AAD1CB7649C19755

Function 00691121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00691176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00691192
PostMessageW.USER32(00000000,00000101,00000000), ref: 006911F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00691243

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 226cc27f792897b7e168a9951282f5af19fe8da66a4f3e793c6bb2551799ca18
Instruction ID: 42a0a3ef6b1db1aad75eb91a7d98471dd41ac4b62bdcf22c4e871e6a9c04e32e
Opcode Fuzzy Hash: 226cc27f792897b7e168a9951282f5af19fe8da66a4f3e793c6bb2551799ca18
Instruction Fuzzy Hash: 31314830940209AEFF319B658C047FA7BAFAB4A310F24431EE5909AFD1C3354A859755

Function 00666415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0066644B
__isleadbyte_l.LIBCMT ref: 00666479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006664A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006664DD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3397d0e70b5f3ebcc7c8add611fab088868d51198eb2723eb7c8ad6308dd1042
Instruction ID: 6117047b79b7779743af9436137f7fd3b2f41058f0232a767aac2942be97d2f1
Opcode Fuzzy Hash: 3397d0e70b5f3ebcc7c8add611fab088868d51198eb2723eb7c8ad6308dd1042
Instruction Fuzzy Hash: CC310F30600256AFDB218F65EC45BAA7BE7FF40310F158028F854972A1EB31EC90CB90

Function 006B5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006B5189

Part of subcall function 0069387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00693897
Part of subcall function 0069387D: GetCurrentThreadId.KERNEL32 ref: 0069389E
Part of subcall function 0069387D: AttachThreadInput.USER32(00000000,?,006952A7), ref: 006938A5

GetCaretPos.USER32(?), ref: 006B519A
ClientToScreen.USER32(00000000,?), ref: 006B51D5
GetForegroundWindow.USER32 ref: 006B51DB

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 2b124ffc76fa0961b41c95b8435eddde49c0ac325c658f00f542845b98b2b042
Instruction ID: 9c473553b21f080bb4b3bb9745a58926b270c5e8ea00efbd7a3863d5963826ac
Opcode Fuzzy Hash: 2b124ffc76fa0961b41c95b8435eddde49c0ac325c658f00f542845b98b2b042
Instruction Fuzzy Hash: 15311C71900108ABDB44EFA5CD459EFB7FAEF98300F10406AE416E7251DA759E45CFA4

Function 006BC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

GetCursorPos.USER32(?), ref: 006BC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0066BBFB,?,?,?,?,?), ref: 006BC7D7
GetCursorPos.USER32(?), ref: 006BC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0066BBFB,?,?,?), ref: 006BC85E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 55e08d1f84203395331fd78617415ae98a26417c0769529792a23a1dd8155cf1
Instruction ID: bf8228dd7d19db3c7062512a9c5811fdfeace42c965e9bff50d5a603aeddec2d
Opcode Fuzzy Hash: 55e08d1f84203395331fd78617415ae98a26417c0769529792a23a1dd8155cf1
Instruction Fuzzy Hash: D1315E75600018AFCB25CF58CC98EEA7FBBEB49720F044169F9058B261C731AE91DBA0

Function 00650BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00650BF2

Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00697B20,?,?,00000000), ref: 00635B8C
Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00697B20,?,?,00000000,?,?), ref: 00635BB0

_fprintf.LIBCMT ref: 00650C29
OutputDebugStringW.KERNEL32(?), ref: 00686331

Part of subcall function 00654CDA: _flsall.LIBCMT ref: 00654CF3

__setmode.LIBCMT ref: 00650C5E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 3858ceb0d66ed55e70c140487a301557ae0b9751a497db09e5c464f0c3641f86
Instruction ID: fffd2d7b97d663157e526e8e1fa68df4e4ba9aa5fdce529fed171b86a9eb4567
Opcode Fuzzy Hash: 3858ceb0d66ed55e70c140487a301557ae0b9751a497db09e5c464f0c3641f86
Instruction Fuzzy Hash: 7F1132329042046FDB44B7B89C439BE7B6B9F46322F14015EF50457292EE315D8A97E9

Function 00688B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00688652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00688669
Part of subcall function 00688652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00688673
Part of subcall function 00688652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00688682
Part of subcall function 00688652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00688689
Part of subcall function 00688652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0068869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00688BEB
_memcmp.LIBCMT ref: 00688C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00688C44
HeapFree.KERNEL32(00000000), ref: 00688C4B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 05cb4c12a502481218ed650d660b41f054ad2319a32d3a5fe26eafbecfa1fff9
Instruction ID: 2ff5f14f8fd4513fd4625b28d36b8887fc2abaf28724b8afad5b9392b799f6a3
Opcode Fuzzy Hash: 05cb4c12a502481218ed650d660b41f054ad2319a32d3a5fe26eafbecfa1fff9
Instruction Fuzzy Hash: FA21B0B1E01208EFCB10EFA4C944BEEB7BAFF44344F444199E454A7251DB30AE46CB60

Function 006A1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006A1A97

Part of subcall function 006A1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006A1B40
Part of subcall function 006A1B21: InternetCloseHandle.WININET(00000000), ref: 006A1BDD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 01505c5a7ee6ef45ef8e85c8996d91494ef875b42175d9b81a2b1d5f366a9bb6
Instruction ID: 04f5ac3132e77cfb764f35851a3f4fe52770d91403c2f602bf6d670282f27eb6
Opcode Fuzzy Hash: 01505c5a7ee6ef45ef8e85c8996d91494ef875b42175d9b81a2b1d5f366a9bb6
Instruction Fuzzy Hash: 40219F75200605BFDB11AF649C01FBAB7ABFF46701F10012AFA519A661EB71DC119FA4

Function 0068E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0068E1C4,?,?,?,0068EFB7,00000000,000000EF,00000119,?,?), ref: 0068F5BC
Part of subcall function 0068F5AD: lstrcpyW.KERNEL32(00000000,?,?,0068E1C4,?,?,?,0068EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0068F5E2
Part of subcall function 0068F5AD: lstrcmpiW.KERNEL32(00000000,?,0068E1C4,?,?,?,0068EFB7,00000000,000000EF,00000119,?,?), ref: 0068F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0068EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0068E1DD
lstrcpyW.KERNEL32(00000000,?,?,0068EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0068E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0068EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0068E237

Strings

cdecl, xrefs: 0068E22E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6f5d2aff3d09eb8f804dab48e5fe5dd16f25fd819dd7eb08c6bc725acfa7bd9f
Instruction ID: 751bb9da01aff9e4b9142d6e7335bcb344f17988cfcce8d2ebaaaf45268df990
Opcode Fuzzy Hash: 6f5d2aff3d09eb8f804dab48e5fe5dd16f25fd819dd7eb08c6bc725acfa7bd9f
Instruction Fuzzy Hash: 4411D336100345EFCB25BF68DC45D7A77AAFF45310B40422AF806CB2A4EB72D951C7A4

Function 00665332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00665351

Part of subcall function 0065594C: __FF_MSGBANNER.LIBCMT ref: 00655963
Part of subcall function 0065594C: __NMSG_WRITE.LIBCMT ref: 0065596A
Part of subcall function 0065594C: RtlAllocateHeap.NTDLL(00C80000,00000000,00000001,00000000,?,?,?,00651013,?), ref: 0065598F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: db9602c91cf0c908dd69c52c171cc906d2af6a76736ad803f0466567928fed80
Instruction ID: d78216967e34445b251645af8e894b14eb7285175e9bf10950e86a7e731a38c2
Opcode Fuzzy Hash: db9602c91cf0c908dd69c52c171cc906d2af6a76736ad803f0466567928fed80
Instruction Fuzzy Hash: 87110432504B16AFCB202F74AC0669A37E75F00BE1F10062DFC46BA3A1EEB189418394

Function 00634531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00634560

Part of subcall function 0063410D: _memset.LIBCMT ref: 0063418D
Part of subcall function 0063410D: _wcscpy.LIBCMT ref: 006341E1
Part of subcall function 0063410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006341F1

KillTimer.USER32(?,00000001,?,?), ref: 006345B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006345C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0066D6CE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 0042d4a322ec4d58344e8a7d2833bccf8be96359135210f93dc7ab5187694581
Instruction ID: 714d194cd336bf7f7d30a1979e8037bf79e12973a2e202fcd80d0137f58559d3
Opcode Fuzzy Hash: 0042d4a322ec4d58344e8a7d2833bccf8be96359135210f93dc7ab5187694581
Instruction Fuzzy Hash: FD21FB70D047549FEB328B24DC55BE7FBEE9F11314F04009EE69D96251C7742A85CB51

Function 006940B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006940D1
_memset.LIBCMT ref: 006940F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00694144
CloseHandle.KERNEL32(00000000), ref: 0069414D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: f3ca08abfe1481e151af68bc9e8e71ee828cdefa3f8d9a91e23b5c2619386990
Instruction ID: 9ad41c5dbd39229e831e2315df3ee11e1426c0f2aee8f115efd951ff54026224
Opcode Fuzzy Hash: f3ca08abfe1481e151af68bc9e8e71ee828cdefa3f8d9a91e23b5c2619386990
Instruction Fuzzy Hash: 0C11EB759013287AD7305BA59C4DFEBBB7DEF44760F10429AF908D7290D6744E808BA4

Function 006A667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00697B20,?,?,00000000), ref: 00635B8C
Part of subcall function 00635B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00697B20,?,?,00000000,?,?), ref: 00635BB0

gethostbyname.WSOCK32(?,?,?), ref: 006A66AC
WSAGetLastError.WSOCK32(00000000), ref: 006A66B7
_memmove.LIBCMT ref: 006A66E4
inet_ntoa.WSOCK32(?), ref: 006A66EF

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 278f7e63019137bd21a59ce7c5ca8b825a8f105eaff828627a1c7d8f1f6f0289
Instruction ID: b4d89477a44550ad30590bc28625edfab969ff90a39c1cc1a879049e6147498f
Opcode Fuzzy Hash: 278f7e63019137bd21a59ce7c5ca8b825a8f105eaff828627a1c7d8f1f6f0289
Instruction Fuzzy Hash: ED119D75500508AFCB40FBA4DD86DEEB7BAAF08310F144129F506A72A1DF30AF04CBA5

Function 00689023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00689043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00689055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0068906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00689086

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e949fa21973071b6480b1a3358079c12a34abcfb316ab746e460e36184e8c391
Instruction ID: a43101abca6247a6a5e794e3320705e5541c1d789bbad46b540637d6adea6084
Opcode Fuzzy Hash: e949fa21973071b6480b1a3358079c12a34abcfb316ab746e460e36184e8c391
Instruction Fuzzy Hash: BA115E79900218FFDB10DFA5CC84EEDBBB5FB48310F204195E904B7250D6726E50DBA4

Function 00631290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00632612: GetWindowLongW.USER32(?,000000EB), ref: 00632623

DefDlgProcW.USER32(?,00000020,?), ref: 006312D8
GetClientRect.USER32(?,?), ref: 0066B84B
GetCursorPos.USER32(?), ref: 0066B855
ScreenToClient.USER32(?,?), ref: 0066B860

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5767821fdc31cdce0bd4573f235bb08ccfc4c8cb7b54b6e5b4b5f481c841396d
Instruction ID: b28f3a195a1a218228c89e534f7ed4621549c9f214465f6858f400c951257b2a
Opcode Fuzzy Hash: 5767821fdc31cdce0bd4573f235bb08ccfc4c8cb7b54b6e5b4b5f481c841396d
Instruction Fuzzy Hash: 35110A75900019AFCB10EFA8D8859FF77BAEF06301F100559F911EB251D730BA918BA9

Function 00691652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006901FD,?,00691250,?,00008000), ref: 0069166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006901FD,?,00691250,?,00008000), ref: 00691694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006901FD,?,00691250,?,00008000), ref: 0069169E
Sleep.KERNEL32(?,?,?,?,?,?,?,006901FD,?,00691250,?,00008000), ref: 006916D1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c30648364b0ff91f989bd20ddedb9138aa701ddae5cf9e85370667bd834d6470
Instruction ID: f6ecbfa808a75a6b2d7de4d0d123294f14937502aca24c5438f5b09c91eee370
Opcode Fuzzy Hash: c30648364b0ff91f989bd20ddedb9138aa701ddae5cf9e85370667bd834d6470
Instruction Fuzzy Hash: 9A117C71C0051ED7CF009FA9DC48AEEBB7EFF0A741F25459AE940BA250CB3095A0CB96

Function 00667207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0066722B

Part of subcall function 00667912: __fltout2.LIBCMT ref: 0066793B

__cftog_l.LIBCMT ref: 00667251
__cftoe_l.LIBCMT ref: 00667283

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 8cdd0ebe8a56462332b69c4cc663dda81f5c601bd34de0ff11e55bb7d1af4ccd
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 20018C3204814ABBCF525F94DC118EE3F6BBF29358F188615FA1858131C237CAB1AB81

Function 006BB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006BB59E
ScreenToClient.USER32(?,?), ref: 006BB5B6
ScreenToClient.USER32(?,?), ref: 006BB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006BB5F5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1330cf9fbaadc9d0e8716b62f17d2d07a68bf4bd5e45f4c4c9491e5cbded0661
Instruction ID: 48cf658ed529f1922a65fffa0e0b9bca28d3541e24fd7f23e4e5c0e94ed76320
Opcode Fuzzy Hash: 1330cf9fbaadc9d0e8716b62f17d2d07a68bf4bd5e45f4c4c9491e5cbded0661
Instruction Fuzzy Hash: 651146B5D00209EFDB41CF99C8449EEFBB5FB18310F109166E954E3220D775AA558F51

Function 006BB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006BB8FE
_memset.LIBCMT ref: 006BB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006F7F20,006F7F64), ref: 006BB93C
CloseHandle.KERNEL32 ref: 006BB94E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 32460260032cf65df563789324371d9b0a703c2c680ce9b55f79b843db4a2729
Instruction ID: 0966bb1161daa570148b63d652d1b9d57efcb8c988a7ec0ed2d65cc44ce501af
Opcode Fuzzy Hash: 32460260032cf65df563789324371d9b0a703c2c680ce9b55f79b843db4a2729
Instruction Fuzzy Hash: A6F08CF2645314BBF3102B65AC06FBB3A9EEB09795F006021FB08D62A2D7714E00C7A8

Function 00696E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00696E88

Part of subcall function 0069794E: _memset.LIBCMT ref: 00697983

_memmove.LIBCMT ref: 00696EAB
_memset.LIBCMT ref: 00696EB8
LeaveCriticalSection.KERNEL32(?), ref: 00696EC8

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 66ffab0b31fffc642090ec36bba3339bb6476b3f54c849b42c4e2876483c9b5a
Instruction ID: df070000d9c79d742bf9e4745517137b5a2480314567eca7fc3230928b818742
Opcode Fuzzy Hash: 66ffab0b31fffc642090ec36bba3339bb6476b3f54c849b42c4e2876483c9b5a
Instruction Fuzzy Hash: B3F0547A200210BBCF416F55DC85A4ABB2BEF45361F048065FE085F266C731A951DBB4

Function 006BC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006312F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0063134D
Part of subcall function 006312F3: SelectObject.GDI32(?,00000000), ref: 0063135C
Part of subcall function 006312F3: BeginPath.GDI32(?), ref: 00631373
Part of subcall function 006312F3: SelectObject.GDI32(?,00000000), ref: 0063139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006BC030
LineTo.GDI32(00000000,?,?), ref: 006BC03D
EndPath.GDI32(00000000), ref: 006BC04D
StrokePath.GDI32(00000000), ref: 006BC05B

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 92b30f9dc7b3d7bea247de1a6a0b9700df06f5f13e592925bcdf342c5e485d18
Instruction ID: c48ed2d839dbed83aa0f21b73ef62028216380082e2cc21bf7c20c0313b09c3b
Opcode Fuzzy Hash: 92b30f9dc7b3d7bea247de1a6a0b9700df06f5f13e592925bcdf342c5e485d18
Instruction Fuzzy Hash: B9F0BE31004219BBDB122F54EC09FDE3FAAAF06321F044114FA21210F287B60AA0CBE9

Function 0068A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0068A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0068A3AC
GetCurrentThreadId.KERNEL32 ref: 0068A3B3
AttachThreadInput.USER32(00000000), ref: 0068A3BA

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 72a3534124a90a6b5d18e18dab4638a6b2d866749943f57fd9a4e6adfcc73b4c
Instruction ID: f6e47cd51d6ab4409298ccbb64df8e2af1b55baec5b8d43582166b4211829cc9
Opcode Fuzzy Hash: 72a3534124a90a6b5d18e18dab4638a6b2d866749943f57fd9a4e6adfcc73b4c
Instruction Fuzzy Hash: 70E01571541228BBEB202BA2DC0CED73F1EEF167A1F008225B908D4060D67195808BA0

Function 00632218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00632231
SetTextColor.GDI32(?,000000FF), ref: 0063223B
SetBkMode.GDI32(?,00000001), ref: 00632250
GetStockObject.GDI32(00000005), ref: 00632258
GetWindowDC.USER32(?,00000000), ref: 0066C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0066C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0066C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0066C112
GetPixel.GDI32(00000000,?,?), ref: 0066C132
ReleaseDC.USER32(?,00000000), ref: 0066C13D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 2bcba79d654ec20c4d5e98a04d16ed9cbf274a6a1e7b1ac8c890ee6b50a2d98b
Instruction ID: b178b8e95a0c08296f3bf80b9d275c93bfcd77d3bd48eaff20c0832f19020b6c
Opcode Fuzzy Hash: 2bcba79d654ec20c4d5e98a04d16ed9cbf274a6a1e7b1ac8c890ee6b50a2d98b
Instruction Fuzzy Hash: ECE06D72100244EADB215F68FC0D7E87B16EB16332F008366FAA9580F187728AC0DB11

Function 00688C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00688C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0068882E), ref: 00688C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0068882E), ref: 00688C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0068882E), ref: 00688C7E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4b30d53a73823818254811f75e4d96720ff5e8cdac7b93a27df1a029ebe92975
Instruction ID: c9eb342382f4f3c7338f733be468f5ca7399757f539cf5dc7bda9937a8b4cf18
Opcode Fuzzy Hash: 4b30d53a73823818254811f75e4d96720ff5e8cdac7b93a27df1a029ebe92975
Instruction Fuzzy Hash: B1E086B6642211EFD7206FB06E0CF963BAEEF54792F045A28B645CA060DA348481CB61

Function 00672187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00672187
GetDC.USER32(00000000), ref: 00672191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006721B1
ReleaseDC.USER32(?), ref: 006721D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c14b8894a49fab8b7598d586c5546dfce293e49d8418a7131b4af8415723bbf9
Instruction ID: e1ea35e500ec6bc994cd28e2ce7b469581a191475c9a64d474eb021e69552e1f
Opcode Fuzzy Hash: c14b8894a49fab8b7598d586c5546dfce293e49d8418a7131b4af8415723bbf9
Instruction Fuzzy Hash: 81E0E5B5800204EFDB019F60CC18AAD7BB2EB4C350F108529FD5AA7230DB798182AF40

Function 0067219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0067219B
GetDC.USER32(00000000), ref: 006721A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006721B1
ReleaseDC.USER32(?), ref: 006721D2

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bbdeebaf762c9cf15343b848c187ab2a8ce80cb2e6db41fe6f2801bdee5d5504
Instruction ID: 3eddab3479c0c5b32800362e2b9e28e83343f489d4b6992fb1c9970ccd0a6098
Opcode Fuzzy Hash: bbdeebaf762c9cf15343b848c187ab2a8ce80cb2e6db41fe6f2801bdee5d5504
Instruction Fuzzy Hash: 91E01AB5800204AFCB019F70CC0869D7BF2EB4C310F108129FD5AA7230DB7991819F40

Function 006363A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%l, xrefs: 006363AE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID:
String ID: %l
API String ID: 0-1220962568
Opcode ID: a1379e1f3496852704987b28a5bdf026cbcf6000a58bb43976c1ca5a39b9f99c
Instruction ID: d1ffaa0a315739fddd30f84037596982836b75db8fe44cdf855a3f56eebf21c1
Opcode Fuzzy Hash: a1379e1f3496852704987b28a5bdf026cbcf6000a58bb43976c1ca5a39b9f99c
Instruction Fuzzy Hash: 8BB19175D00109ABCF24EF98C8919EDB7B6EF44310F50812AF902A7295DB309E86CBE5

Function 006AB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 006AB2C3

Strings

xro, xrefs: 006AB2F9
xro, xrefs: 006AB325

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __itow_s
String ID: xro$xro
API String ID: 3653519197-2866113368
Opcode ID: b4fd0b1d9aac1f4fd0ea2005c779d6ea4ea34e15161458c514464004520c8506
Instruction ID: 6f7cf447aa2a7391188a0ed90d9a7a3df32800b54f1f677f70e1c14dbda585d5
Opcode Fuzzy Hash: b4fd0b1d9aac1f4fd0ea2005c779d6ea4ea34e15161458c514464004520c8506
Instruction Fuzzy Hash: 42B18D70A00209AFCB14EF54C890EFABBBAEF59300F149559F9459B252DB70EE41CFA4

Function 0069B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0064FEC6: _wcscpy.LIBCMT ref: 0064FEE9

Part of subcall function 00639997: __itow.LIBCMT ref: 006399C2
Part of subcall function 00639997: __swprintf.LIBCMT ref: 00639A0C

__wcsnicmp.LIBCMT ref: 0069B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0069B361

Strings

LPT, xrefs: 0069B292

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b658dd2f833b6b93091768ac9b2a25bbe9a27d0925d2b9051be7a0876b80d27e
Instruction ID: ab3bd070660731948cea74db81a8f3fff96ec41dd742dc12dc00bd682b1de69b
Opcode Fuzzy Hash: b658dd2f833b6b93091768ac9b2a25bbe9a27d0925d2b9051be7a0876b80d27e
Instruction Fuzzy Hash: 1A619075A00214AFCF14DB98D981EEEB7BAEF08310F01515EF806AB791DB70AE40CB94

Function 00678A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00678B1E
_memmove.LIBCMT ref: 00678B78

Strings

Oad, xrefs: 00678BF2, 0067E39A, 0067E3B6

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _memmove
String ID: Oad
API String ID: 4104443479-2998856776
Opcode ID: 0e2edb3192e34215106bcf3b4bd44be24188b454fa005dda7115d8744f7aad11
Instruction ID: bdb8f01651d44a351b4c6d246ad967dd5e98ac3052811e995de79b16c5a993b0
Opcode Fuzzy Hash: 0e2edb3192e34215106bcf3b4bd44be24188b454fa005dda7115d8744f7aad11
Instruction Fuzzy Hash: 2C513E70A00609DFCB64CF68C884AEEBBB2FF44314F24856AE85AD7350EB31AD55CB51

Function 00642AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00642AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00642AE1

Strings

@, xrefs: 00642AD5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1b8f4bf9dabb34e07a3c7baa276c0590db62e8584e96a56aea2befe456d199ad
Instruction ID: 5ad17f50ef2f0ac545af6a21a002707c1ad91ae732c0af0e7f43b2d72c0fa8b4
Opcode Fuzzy Hash: 1b8f4bf9dabb34e07a3c7baa276c0590db62e8584e96a56aea2befe456d199ad
Instruction Fuzzy Hash: AC5188714187449BD360AF10DC86BAFBBF8FF94310F42885DF1D9410A1DB718928CB6A

Function 006999BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0063506B: __fread_nolock.LIBCMT ref: 00635089

_wcscmp.LIBCMT ref: 00699AAE
_wcscmp.LIBCMT ref: 00699AC1

Strings

FILE, xrefs: 006999FA

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d66abb35c59be44b5813c00b9898165354e0fc8e256fd051f640d807deeab262
Instruction ID: a0101167426c2ae4aa1beb319fe5e27148083d8a2f9e5bd077cbc72cb2bb9082
Opcode Fuzzy Hash: d66abb35c59be44b5813c00b9898165354e0fc8e256fd051f640d807deeab262
Instruction Fuzzy Hash: 3741D771A00619BADF209EA4DC45FEFB7BEDF49710F00006DF901A7281DB75AA458BB5

Function 0067099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006709A9

Strings

Dto, xrefs: 0063A477
Dto, xrefs: 0063A2B1

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClearVariant
String ID: Dto$Dto
API String ID: 1473721057-1751448593
Opcode ID: 2d1d3040cfedd7072f466bbdcc41e77c0f823b70a5d0148f88c72336374b8b66
Instruction ID: 6755e204080d26221b24eb6e3fc91f77bca788cb615a431b8b10edfc5e728cc9
Opcode Fuzzy Hash: 2d1d3040cfedd7072f466bbdcc41e77c0f823b70a5d0148f88c72336374b8b66
Instruction Fuzzy Hash: 40510278608342CFD754CF59C480A6ABBF2BB99354F54885DE9858B361D332EC81EB92

Function 006A2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006A28C8

Strings

|, xrefs: 006A2899

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: db2c3e78d9703a9530e7253d79c54d6cf172912cebb713fa10e50a443561f2a0
Instruction ID: 2524ec153b12e8bf7997ad91416adbed5cab068e66e7b2f6124820b73bba63e3
Opcode Fuzzy Hash: db2c3e78d9703a9530e7253d79c54d6cf172912cebb713fa10e50a443561f2a0
Instruction Fuzzy Hash: C0313D7180011AAFDF51EFA5CC85EEEBFBAFF09300F104069F815A6265DB315A56DBA0

Function 006B6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006B6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006B6DC2

Strings

static, xrefs: 006B6D22

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 01d96db8d5d413fd787b5ec8e341492876059d1fda0fc8caac1ee748b0bdb10c
Instruction ID: 7e133d0049207df4ed0ee657c0a3f259346f826a69576dfe04f79e9032bdfd94
Opcode Fuzzy Hash: 01d96db8d5d413fd787b5ec8e341492876059d1fda0fc8caac1ee748b0bdb10c
Instruction Fuzzy Hash: 6931A1B1200204AEDB109F78CC40AFB77BAFF48720F10961DF895871A0DB75AC91DB64

Function 00692D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00692E3B

Strings

0, xrefs: 00692DF9

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 98953fbc5d9541b772691ab717e665cdb8b936a292e04e61db5e53a1f95e93ea
Instruction ID: b8028709f29126823b7af48ec1eb563a9266fa2bcd724909b01f79d11a8c7547
Opcode Fuzzy Hash: 98953fbc5d9541b772691ab717e665cdb8b936a292e04e61db5e53a1f95e93ea
Instruction Fuzzy Hash: E231BF35A0030ABBEF258F58C9C5BEEBBBFEF05350F14042EE985966A1E7709944CB54

Function 006B6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006B69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006B69DB

Strings

Combobox, xrefs: 006B699D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4dbc7dddd0e5e31948dcf05f2350c48d8c0584a3a99fbd1641eb2c7c55c5b6cd
Instruction ID: e60b3f86c50f4746778595b0da7373d64a5227a72c517c761f02348287d496b6
Opcode Fuzzy Hash: 4dbc7dddd0e5e31948dcf05f2350c48d8c0584a3a99fbd1641eb2c7c55c5b6cd
Instruction Fuzzy Hash: F71198B17002096FEF15AF14CC90EFB376BEB953A4F114125F958973A0D6759C9187A0

Function 006B6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00631D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00631D73
Part of subcall function 00631D35: GetStockObject.GDI32(00000011), ref: 00631D87
Part of subcall function 00631D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00631D91

GetWindowRect.USER32(00000000,?), ref: 006B6EE0
GetSysColor.USER32(00000012), ref: 006B6EFA

Strings

static, xrefs: 006B6EBD

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1815fd84e033d60ab04c41bbfab8e7e75479eb77b8830fd05aba2972da9ef2d9
Instruction ID: 7dd35e0f72fe32a76a85226b38d6d5139f6aec3f1708c0d5830f1fdfdd955179
Opcode Fuzzy Hash: 1815fd84e033d60ab04c41bbfab8e7e75479eb77b8830fd05aba2972da9ef2d9
Instruction Fuzzy Hash: EA2159B2610209AFDB04DFA8DC45AFA7BBAFB08314F004628FD55D3250E774E8A1DB50

Function 006B6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006B6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006B6C20

Strings

edit, xrefs: 006B6BF5

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: a772d50d8a7ff352fac015d1c8105c4ff582cb352df60f41ec090c756b5624eb
Instruction ID: 662092112ea9b9f5a2385cb663bcc4a5e8ca2337b610ffe68fdd14674435b4e3
Opcode Fuzzy Hash: a772d50d8a7ff352fac015d1c8105c4ff582cb352df60f41ec090c756b5624eb
Instruction Fuzzy Hash: F3119AB1100208ABEB208F64DC41AEA3B6BEB15368F204724F961D72E0C779DCE19B60

Function 00692E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00692F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00692F30

Strings

0, xrefs: 00692F07

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 445aa278a74bbae420f924751ff274ca2b723a3bc3102e1e814cdd1898e21ccd
Instruction ID: 75b5ac2b6f009ba389712c4cee55b1379cba62ffc4a6a20cf50268e72a36d688
Opcode Fuzzy Hash: 445aa278a74bbae420f924751ff274ca2b723a3bc3102e1e814cdd1898e21ccd
Instruction Fuzzy Hash: B711BE31941216BBCF20DB58DD58BE977BFAB01310F0400A5F854A77A0D7B0ED04C791

Function 006A24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006A2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006A2549

Strings

<local>, xrefs: 006A2511

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 078baef45356c74858c2b5ce21a7b7d0113f0b8228ce06522fa5fa9b5ef0eb83
Instruction ID: 31c9388c9c7bdef3e6958312eb2eef55e4ed0e28e6fd1166586ef456fa278ec2
Opcode Fuzzy Hash: 078baef45356c74858c2b5ce21a7b7d0113f0b8228ce06522fa5fa9b5ef0eb83
Instruction Fuzzy Hash: 2111C470981226BAD724AF558CA4EF7FF9AFB07751F10412AF50546140D2705D81DAB0

Function 006A80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006A830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006A80C8,?,00000000,?,?), ref: 006A8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006A80CB
htons.WSOCK32(00000000,?,00000000), ref: 006A8108

Strings

255.255.255.255, xrefs: 006A80E3

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: e0309fbe5bae66427f7c9b8a9d4f4ac3d74d3078b0931771ae9f23e2639dc33a
Instruction ID: 68ae4afe2e2cedbdeb4e60088a8de6fd29b549f4e8bdb43ea88b363358555c93
Opcode Fuzzy Hash: e0309fbe5bae66427f7c9b8a9d4f4ac3d74d3078b0931771ae9f23e2639dc33a
Instruction Fuzzy Hash: 6111CE74200205ABDB20AFA4CC46BEDB726FF15320F10862AE91197291DA32AC118B99

Function 00640A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00633C26,006F62F8,?,?,?), ref: 00640ACE

Part of subcall function 00637D2C: _memmove.LIBCMT ref: 00637D66

_wcscat.LIBCMT ref: 006750E1

Strings

co, xrefs: 00640B0E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: co
API String ID: 257928180-2012008497
Opcode ID: 171c7142042f8d7e1f0b33c79aae680ec5566df0d30e8e77160718aaf2261702
Instruction ID: 3dc3ebcdb4d6d9e24ec6dcfe43e5fac1cd05835ecb8881e7d1a82ca6ead65572
Opcode Fuzzy Hash: 171c7142042f8d7e1f0b33c79aae680ec5566df0d30e8e77160718aaf2261702
Instruction Fuzzy Hash: FF11C87190421C9B8B90EB64DC06EED77FBEF08340F0050A9FA49D7251EA71DB888759

Function 006892E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00689355

Strings

ComboBox, xrefs: 006892F4
ListBox, xrefs: 0068931F

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a27e066767437cfa52598e6cb9decbf7c01cddaec1c343dd6b0e104c3c171860
Instruction ID: b96f10fb9d1d8efe8e9d1c0f53d89ba1af7981dcf99766b73f834490c59b6773
Opcode Fuzzy Hash: a27e066767437cfa52598e6cb9decbf7c01cddaec1c343dd6b0e104c3c171860
Instruction Fuzzy Hash: D1019E71A05315ABCB14FBA5CC918FE776BBF06320B14071DB932572D2EA315908D7A0

Function 0069901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00699036
__fread_nolock.LIBCMT ref: 0069904B

Strings

EA06, xrefs: 0069907D

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 684862bfbebec4c642192266bc1d277584cfae1907d03948a4f841eaa556c303
Instruction ID: 04e65cc40b42df6584ff82a3d1d044ba35e4c31f29e6c62b98abe86a77854bd1
Opcode Fuzzy Hash: 684862bfbebec4c642192266bc1d277584cfae1907d03948a4f841eaa556c303
Instruction Fuzzy Hash: D101F971804258BEDB28C6A8C81AFFE7BFC9B11301F00419EF552D6181E575A6088B60

Function 006891DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0068924D

Strings

ComboBox, xrefs: 006891EC
ListBox, xrefs: 00689217

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 34b3bc07ac1e5ec3de25278903e57911196071fcbc7a5f10d05d0aa2e46d08f1
Instruction ID: 760587a5491e5e9cbdd16884ee899d9ca846f7407c592b9d3e1a52bfa1eccc12
Opcode Fuzzy Hash: 34b3bc07ac1e5ec3de25278903e57911196071fcbc7a5f10d05d0aa2e46d08f1
Instruction Fuzzy Hash: C901A7B1A512057BCB54FBA0C9A2DFF73AE9F05300F14021DB912672D1EA116F0C97B5

Function 00689264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637F41: _memmove.LIBCMT ref: 00637F82

Part of subcall function 0068B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0068B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 006892D0

Strings

ComboBox, xrefs: 00689271
ListBox, xrefs: 0068929C

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 99fe7729bc6c938c84ef9ebda6811c1848b5b2e4f05c36e5085026002d4ee5d9
Instruction ID: 1ae3c4a9d11f842349a0728414f66d6f8916b3838811d184555cd10a1e16e71e
Opcode Fuzzy Hash: 99fe7729bc6c938c84ef9ebda6811c1848b5b2e4f05c36e5085026002d4ee5d9
Instruction Fuzzy Hash: 6F01D6B1A5120977CB14FBA4C992EFF77AE9F11300F28021DB812672C2DA215F0C93B5

Function 00656DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00656DD0
__calloc_crt.LIBCMT ref: 00656DE9

Strings

@Ro, xrefs: 00656E00

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: __calloc_crt
String ID: @Ro
API String ID: 3494438863-3663402957
Opcode ID: 12585751d61f06d3d624bb33bf90a795e5686987b16f3405d3a4d04caa93753b
Instruction ID: 3dd1440080c26b2aa3332cc21a0a84287752e7e5ec39d5753e6eaf4c1905ea96
Opcode Fuzzy Hash: 12585751d61f06d3d624bb33bf90a795e5686987b16f3405d3a4d04caa93753b
Instruction Fuzzy Hash: 8FF0C2713097129BF764CF19FC016B127A7FB40321F50192AF900DB281EBB08989C784

Function 006951CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006951E8
_wcscmp.LIBCMT ref: 006951FA

Strings

#32770, xrefs: 006951F4

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 647dfcaeedbc9a3646c3222560e7261f4b9e20065bcccf74d6bb1ed1ba36bc43
Instruction ID: a995872b9c1e4ae7146281b5332f686fffa210d1de66d06f9dbdbd70f5b194bf
Opcode Fuzzy Hash: 647dfcaeedbc9a3646c3222560e7261f4b9e20065bcccf74d6bb1ed1ba36bc43
Instruction Fuzzy Hash: 77E0617290032C1BD7109B95AC05FA7F7ADEB44771F00016BFD10D3150D5609A4487D1

Function 006881BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006881CA

Part of subcall function 00653598: _doexit.LIBCMT ref: 006535A2

Strings

Error allocating memory., xrefs: 006881C3
AutoIt, xrefs: 006881BE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 7c133a07b6be64181d1ea11cb03818fcc3bb939ad634f53aa8363bd9d892b2c9
Instruction ID: 1bcf9e3a8c29dab069e35d2ca797d95247af19c308511f636b0eca1023f14b00
Opcode Fuzzy Hash: 7c133a07b6be64181d1ea11cb03818fcc3bb939ad634f53aa8363bd9d892b2c9
Instruction Fuzzy Hash: C5D012323C535836D25533A56C0BFC5668A4B16F52F004419BF08596D38ED555C142ED

Function 0066B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0066B564: _memset.LIBCMT ref: 0066B571

Part of subcall function 00650B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0066B540,?,?,?,0063100A), ref: 00650B89

IsDebuggerPresent.KERNEL32(?,?,?,0063100A), ref: 0066B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0063100A), ref: 0066B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0066B54E

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 99f0fca7da3082bf5e5d283765c2bc7d8f6b3b327c9ab7fc9cda8d0bf9e76ad7
Instruction ID: 3170394b2da80fa66057b6017102a3ba7c871cc39c98e9b96aef12f46decfdb8
Opcode Fuzzy Hash: 99f0fca7da3082bf5e5d283765c2bc7d8f6b3b327c9ab7fc9cda8d0bf9e76ad7
Instruction Fuzzy Hash: 42E092B0600312CFD371DF29D9143827BE2AF00704F009A2DE846C3361E7B5D588CBA1

Function 006B5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006B5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006B5C08

Part of subcall function 006954E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0069555E

Strings

Shell_TrayWnd, xrefs: 006B5BEE

Memory Dump Source

Source File: 00000000.00000002.1679451381.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1679393623.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006BF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679501400.00000000006E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679541032.00000000006EF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1679557956.00000000006F8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_O06_SWIFT PAYMENT.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0c4c9db8ff3d6d796a3614b44e3d0db24c90f86c59f32dd3302370b912044184
Instruction ID: 1c96ecd21d2b205bec473da5479503ef28a4d30b58534efb907e901561ebae27
Opcode Fuzzy Hash: 0c4c9db8ff3d6d796a3614b44e3d0db24c90f86c59f32dd3302370b912044184
Instruction Fuzzy Hash: 64D0A932388300B6E7B4AB70AC0BFE32A16AB00B00F000828B606AA0E0D8E06840C210

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report O06_SWIFT PAYMENT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autCB37.tmp

C:\Users\user\AppData\Local\Temp\uppishly

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
O06_SWIFT PAYMENT.exe

Function 00633B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00634FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00634AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006993DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00633015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74
windowregistryCOMMON

Function 00633041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 006371EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00633633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00633A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00633778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0063F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00CC21E8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006339E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00CC1FB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 0063410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON